RuntimeArray class from WebCore/bridge has the class info parent JSArray::info. Therefore, it will be treated like a JSArray in function arrayProtoFuncConcat from JavaScriptCore::ArrayPrototype class. When an object of type RuntimeArray will be cast to JSArray, the cast will succeed, but the function arrayProtoFuncConcat will crash when attempting to call length method, that is implemented in JSArray but not in RuntimeArray.
The issue is relatively trivial to fix -- we shouldn't be blindly casting to a JSArray just because an object descends from Array in JS.
Created attachment 28136 [details] Fixeration This fixes the error
> arrayProtoFuncConcat will crash when attempting to call length method, that is Can a test case be written for this?
I'm unsure how to get a runtime array to be created... conceivably i could get drt to instantiate a fabricated class that just claimed to be a JSArray. Will look into it.
Comment on attachment 28136 [details] Fixeration I'm not going to say review+ because I think this needs a regression test.
Making a testcase for this appears infeasible -- i've tried for afew hours just to make a java applet that is capable of scripting to no avail. I am honestly not surprised applets died given my experience with them. DRT is also unable to fudge an appropriate JS object as it doesn't have access to the required SPI.
Comment on attachment 28136 [details] Fixeration r=me, although you should explain that you can't make a test in your ChangeLog.
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/runtime/ArrayPrototype.cpp Committed r41518