New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users

Issue metadata

Status: Fixed
Closed: Jan 2015
HW: ----
NextAction: ----
OS: ----
Priority: 2
Type: Bug

issue chromium:230478

Sign in to add a comment

Issue 2379: Assigning to an out-of-bounds array index when length is non-writable should be rejected

Reported by, Oct 26 2012

Issue description

var arr = [];
Object.defineProperty(arr, 'length', { writable: false });
arr.length = 10; // should throw
arr[5]  = 5; // should throw, but doesn't.

Comment 2 by, Oct 26 2012

Labels: Type-Bug Priority-Medium ES5
Status: Assigned
I'll grab this one.

Comment 3 by, Dec 6 2012

Any plans to take care of this? Without fixing it, it's possible for V8 to get into a really weird state where array.length != Object.getOwnPropertyDescriptor(array, 'length').value:

var array = [1, 2, 3];
Object.defineProperty(array, 'length', {writable: false, value: 2});

array.length is now 3, but Object.getOwnPropertyDescriptor(array, 'length').value is still 2.

FWIW, a similar problem exists with other Foreign accessors (e.g., Function's "prototype" property). But at least disallowing the push() would prevent this from being noticeable.

Comment 4 by, May 2 2013

Blocking: chromium:230478

Comment 5 by, Aug 6 2013

In the test case of comment #2, array.length is now correctly 2. Is it still possible somehow for

Array.isArray(a) && a.length !== Object.getOwnPropertyDescriptor(a, 'length').value


Comment 6 by, Aug 6 2013

I believe the test case in #3 has since been fixed by changing the way 'length' is implemented.

Comment 7 by, Aug 7 2013

> I believe the test case in #3 has since been fixed by changing the way 'length' is implemented.

I understand that. What I'm asking is, given this change, do we expect that it is now impossible for 

Array.isArray(a) && a.length !== Object.getOwnPropertyDescriptor(a, 'length').value

to be true by other means? In other words, how deeply do we believe the change fixed the underlying problem? How confident should we be that at least this invariant is now safe?

Comment 8 by, May 26 2014

Did this bug just regress? test number 54 (from ) was passing on Chrome canary 37.0.2013.0, but fails on Chrome canary 37.0.2013.2. See the attached screenshots.
Screen Shot 2014-05-26 at 9.03.46 AM.png
168 KB View Download
Screen Shot 2014-05-26 at 9.03.01 AM.png
158 KB View Download

Comment 9 by, May 28 2014

Looks fixed on 37.0.2017.2 canary. See attached screenshot
Screen Shot 2014-05-28 at 6.18.29 AM.png
161 KB View Download

Comment 10 by, Jan 8 2015

Status: Fixed
Pretty sure this is fixed.

Comment 11 by, Mar 23 2017

Labels: Priority-2

Sign in to add a comment