Closed
Bug 480758
Opened 15 years ago
Closed 15 years ago
Array.prototype.concat crashes when arg is non-array inheriting from Array.prototype
Categories
(Rhino Graveyard :: Core, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: erights, Unassigned)
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.6) Gecko/2009011912 Firefox/3.0.6 GTB5
Build Identifier: Rhino 1.7 release 1 2008 03 06
The ES3 spec (as well as the ES3.1 draft spec) clearly says that if an argument to concat is not an array, it should be added as an element to the result array. For most non-arrays, Rhino seems to do this correctly. However, on Rhino, if the argument is a non-array inheriting from Array.prototype, Rhino crashes instead.
Reproducible: Always
Steps to Reproduce:
google-caja:0:$ type rhino
rhino is a function
rhino ()
{
java -classpath ant-lib/java/rhino/js.jar org.mozilla.javascript.tools.shell.Main
}
google-caja:1:$ rhino
Rhino 1.7 release 1 2008 03 06
js> function primBeget(proto) {
if (proto === null) { fail("Cannot beget from null."); }
if (proto === (void 0)) { fail("Cannot beget from undefined."); }
function F() {}
F.prototype = proto;
var result = new F();
return result;
}
> > > > > > > js>
js>
js> [1].concat(primBeget(Array.prototype))
Actual Results:
Exception in thread "main" java.lang.ClassCastException: org.mozilla.javascript.NativeObject cannot be cast to org.mozilla.javascript.NativeArray
at org.mozilla.javascript.NativeArray.js_concat(NativeArray.java:1324)
at org.mozilla.javascript.NativeArray.execIdCall(NativeArray.java:297)
at org.mozilla.javascript.IdFunctionObject.call(IdFunctionObject.java:127)
at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:3335)
at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:2484)
at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:162)
at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:401)
at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3003)
at org.mozilla.javascript.InterpretedFunction.exec(InterpretedFunction.java:173)
at org.mozilla.javascript.tools.shell.Main.evaluateScript(Main.java:526)
at org.mozilla.javascript.tools.shell.Main.processSource(Main.java:386)
at org.mozilla.javascript.tools.shell.Main.processFiles(Main.java:179)
at org.mozilla.javascript.tools.shell.Main$IProxy.run(Main.java:100)
at org.mozilla.javascript.Context.call(Context.java:499)
at org.mozilla.javascript.ContextFactory.call(ContextFactory.java:511)
at org.mozilla.javascript.tools.shell.Main.exec(Main.java:162)
at org.mozilla.javascript.tools.shell.Main.main(Main.java:140)
Expected Results:
It should have created a two element array whose 0'th element is 1 and whose 1'th element is a non-array inheriting from Array.prototype.
google-caja:1:$ java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
google-caja:0:$ uname -a
Darwin [...] 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24 17:37:00 PST 2008; root:xnu-1228.9.59~1/RELEASE_I386 i386
|
Reporter | |
Updated•15 years ago
|
Version: other → 1.7R1
|
||
Comment 1•15 years ago
|
||
Thanks...
This has already been fixed in 1.7R2 (currently at release candidate 3):
Rhino 1.7 release 3 PRERELEASE 2009 03 02
js> function primBeget(proto) {
> if (proto === null) { fail("Cannot beget from null."); }
> if (proto === (void 0)) { fail("Cannot beget from undefined."); }
> function F() {}
> F.prototype = proto;
> var result = new F();
> return result;
> }
js> [1].concat(primBeget(Array.prototype));
1,
js> var x = [1].concat(primBeget(Array.prototype));
js> x[1]
js> typeof x[1]
object
js> x[1] instanceof Array
true
js>Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•