New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 8 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2015
Cc:
HW: ----
NextAction: ----
OS: ----
Priority: 2
Type: Bug
ES5

Blocking:
issue chromium:230478



Sign in to add a comment

Assigning to an out-of-bounds array index when length is non-writable should be rejected

Reported by rafaelw@chromium.org, Oct 26 2012

Issue description

var arr = [];
Object.defineProperty(arr, 'length', { writable: false });
arr.length = 10; // should throw
arr[5]  = 5; // should throw, but doesn't.
 
Cc: rossberg@chromium.org
Labels: Type-Bug Priority-Medium ES5
Owner: mstarzinger@chromium.org
Status: Assigned
I'll grab this one.

Comment 3 by adamk@chromium.org, Dec 6 2012

Any plans to take care of this? Without fixing it, it's possible for V8 to get into a really weird state where array.length != Object.getOwnPropertyDescriptor(array, 'length').value:

var array = [1, 2, 3];
Object.defineProperty(array, 'length', {writable: false, value: 2});
array.push(3);

array.length is now 3, but Object.getOwnPropertyDescriptor(array, 'length').value is still 2.

FWIW, a similar problem exists with other Foreign accessors (e.g., Function's "prototype" property). But at least disallowing the push() would prevent this from being noticeable.
Blocking: chromium:230478

Comment 5 by erights@gmail.com, Aug 6 2013

In the test case of comment #2, array.length is now correctly 2. Is it still possible somehow for

Array.isArray(a) && a.length !== Object.getOwnPropertyDescriptor(a, 'length').value

?

Comment 6 by adamk@chromium.org, Aug 6 2013

I believe the test case in #3 has since been fixed by changing the way 'length' is implemented.

Comment 7 by erights@gmail.com, Aug 7 2013

> I believe the test case in #3 has since been fixed by changing the way 'length' is implemented.

I understand that. What I'm asking is, given this change, do we expect that it is now impossible for 

Array.isArray(a) && a.length !== Object.getOwnPropertyDescriptor(a, 'length').value

to be true by other means? In other words, how deeply do we believe the change fixed the underlying problem? How confident should we be that at least this invariant is now safe?

Comment 8 by erights@gmail.com, May 26 2014

Did this bug just regress?
http://es-lab.googlecode.com/svn/trunk/src/ses/contract.html test number 54 (from https://code.google.com/p/es-lab/source/browse/trunk/src/ses/repairES5.js#2134 ) was passing on Chrome canary 37.0.2013.0, but fails on Chrome canary 37.0.2013.2. See the attached screenshots.
Screen Shot 2014-05-26 at 9.03.46 AM.png
168 KB View Download
Screen Shot 2014-05-26 at 9.03.01 AM.png
158 KB View Download

Comment 9 by erights@gmail.com, May 28 2014

Looks fixed on 37.0.2017.2 canary. See attached screenshot
Screen Shot 2014-05-28 at 6.18.29 AM.png
161 KB View Download
Cc: adamk@chromium.org
Status: Fixed
Pretty sure this is fixed.
Labels: Priority-2

Sign in to add a comment