Rhino allows redefine the length property and even changes the array object

[YaoHouyou]

Rhino version: 1.7.11, 1.7.10, 1.7.9 testcase:

var NISLFuzzingFunc = function () {
        var arr = [1,2,3,4];
        print("Before redefine, arr is: " + arr)
        print("Before redefine, arr.length = " + arr.length);
        Object.defineProperty(arr, "length", {
                get: function(){
                        return 11;
                }
        });
        print("After redefine, arr.length = " + arr.length);
        print("After redefine, arr is: " + arr)
};

NISLFuzzingFunc();

command: java -jar rhino/rhino-1.7.11.jar -debug -version 200 testcase.js result:

Before redefine, arr is: 1,2,3,4
Before redefine, arr.length = 4
After redefine, arr.length = 11
After redefine, arr is: 1,,3,4

---

Rhino not only allows redefine length of array, but also changes the array object. While others JS engines are not allowed to redefine property length, such as spiderMoneky, v8, javascriptCore, and chakra.

---

About why Rhino can redefine property of length while others can't, we have found that Rhino does not meet the ES5.1 standard. See more here.

[p-bakker]

While it indeed looks like this got fixed at some point, it's broken again in the latest master

[p-bakker]

Looks like it never got fixed, eventhough there was a PR to fix it. Unfortunately, the changes in that PR are no longer sufficient, so we'll have to start from scratch