RESOLVED FIXED 24268
RuntimeArray is not a fully implemented JSArray 
https://bugs.webkit.org/show_bug.cgi?id=24268
Summary RuntimeArray is not a fully implemented JSArray
sofro
Reported 2009-02-28 23:54:10 PST
RuntimeArray class from WebCore/bridge has the class info parent JSArray::info. Therefore, it will be treated like a JSArray in function arrayProtoFuncConcat from JavaScriptCore::ArrayPrototype class. When an object of type RuntimeArray will be cast to JSArray, the cast will succeed, but the function arrayProtoFuncConcat will crash when attempting to call length method, that is implemented in JSArray but not in RuntimeArray.
Attachments
Fixeration (1.44 KB, patch)
2009-03-01 01:05 PST, Oliver Hunt 		zwarich: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2009-03-01 00:01:43 PST
The issue is relatively trivial to fix -- we shouldn't be blindly casting to a JSArray just because an object descends from Array in JS.
Oliver Hunt
Comment 2 2009-03-01 01:05:22 PST
Created attachment 28136 [details] Fixeration This fixes the error
Alexey Proskuryakov
Comment 3 2009-03-01 05:48:48 PST
> arrayProtoFuncConcat will crash when attempting to call length method, that is Can a test case be written for this?
Oliver Hunt
Comment 4 2009-03-01 05:53:32 PST
I'm unsure how to get a runtime array to be created... conceivably i could get drt to instantiate a fabricated class that just claimed to be a JSArray. Will look into it.
Darin Adler
Comment 5 2009-03-01 10:52:26 PST
Comment on attachment 28136 [details] Fixeration I'm not going to say review+ because I think this needs a regression test.
Oliver Hunt
Comment 6 2009-03-08 03:27:09 PDT
Making a testcase for this appears infeasible -- i've tried for afew hours just to make a java applet that is capable of scripting to no avail. I am honestly not surprised applets died given my experience with them. DRT is also unable to fudge an appropriate JS object as it doesn't have access to the required SPI.
Cameron Zwarich (cpst)
Comment 7 2009-03-08 03:32:48 PDT
Comment on attachment 28136 [details] Fixeration r=me, although you should explain that you can't make a test in your ChangeLog.
Oliver Hunt
Comment 8 2009-03-08 03:47:46 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/runtime/ArrayPrototype.cpp Committed r41518
Note You need to log in before you can comment on or make changes to this bug.