-
Sub-task
-
Resolution: Fixed
-
P3
-
8u60
-
None
-
generic
-
generic
jjs> function defLen(arr, len, f) {
var c = false;
Object.defineProperty(arr, "length", {value: {
valueOf: function(){ (!c && (c = true)) && f && f(); return len; }
}});
}
jjs> var a = new Array(0);
jjs> defLen(a, 1, function() {defLen(a, 5); a[2] = "test"; Object.seal(a); });
Expected: Throws TypeError, `a.length` is 3
Actual: No TypeError, `a.length` is 1
Note: There is a ES5 spec bug you need to workaround, fixed in ES6 draft (https://bugs.ecmascript.org/show_bug.cgi?id=1200).
- clones
-
JDK-8066215 Fuzzing bug: length valueOf bug
- Resolved
- is cloned by
-
JDK-8066217 Fuzzing bug: new ArrayBuffer() throws exception
- Resolved