Details
-
Bug
-
Resolution: Fixed
-
P3
-
8
-
None
-
b100
-
generic
-
generic
-
Verified
Description
function func(arr) {
try {
print(arr.toString());
} catch (e) {
print(e.stack);
}
}
var arr = ["hello", "world"]
func(arr);
var global = loadWithNewGlobal({
name: "t",
script: <<EOF
function func(arr) {
try {
print(arr.toString());
} catch (e) {
print(e.stack);
}
}
var arr = [1, 2, 3];
func(arr);
delete Array.prototype.toString;
func(arr);
this;
EOF
});
Expected:
hello,world
1,2,3
[object Array]
Output seen:
hello,world
1,2,3
TypeError: Cannot call undefined
at func (t:5)
at <program> (t:17)
at <program> (test.js:13)
After Array.prototype.toString is deleted, Object.prototype.toString should be visible - callsite that calls array.toString shoud be invalidated and re-resolved to use Object.prototype.toString. This does not happen when loadWithNewGlobal is used.
try {
print(arr.toString());
} catch (e) {
print(e.stack);
}
}
var arr = ["hello", "world"]
func(arr);
var global = loadWithNewGlobal({
name: "t",
script: <<EOF
function func(arr) {
try {
print(arr.toString());
} catch (e) {
print(e.stack);
}
}
var arr = [1, 2, 3];
func(arr);
delete Array.prototype.toString;
func(arr);
this;
EOF
});
Expected:
hello,world
1,2,3
[object Array]
Output seen:
hello,world
1,2,3
TypeError: Cannot call undefined
at func (t:5)
at <program> (t:17)
at <program> (test.js:13)
After Array.prototype.toString is deleted, Object.prototype.toString should be visible - callsite that calls array.toString shoud be invalidated and re-resolved to use Object.prototype.toString. This does not happen when loadWithNewGlobal is used.