A problem in Object.defineProperty

[Georgezxh]

Description

Build version: 1.7.14
OS version: ubuntu20.04

The following code showed that rhino didn't change the length of array and even didn't trigger the get() method in defineProperty, while other js engines(like V8 in Google,Spidermokey in firefox) did.

Testcase

var array = new Array(5)
var proto = {};

Object.setPrototypeOf(array,proto);
Object.defineProperty(
  proto, 1, {
    get() {
      array.length = 1;
      return 1;
    },
});
var a=[];
var res=a.concat(array);
print(array.length);

Output

5

Expected behavior

1

[gbrail]

I haven't dug in too deep, but I bet that the problem here isn't with defineProperty, but with concat. Specifically, Rhino tries to optimize if both sides of an "concat" are instances of NativeArray, which is why it isn't traversing the prototype chain:

rhino/src/org/mozilla/javascript/NativeArray.java

Line 1651 in ef18cb9

if ((newlen <= Integer.MAX_VALUE) && (result instanceof NativeArray)) {

[gbrail]

Update -- the root problem is not what I thought, but it is the NativeArray class and its ability to correctly delegate to the prototype. I know how to fix this. Interestingly, fixing it doesn't unblock any test262 tests.

This is not hard to fix and it's indeed a difference from other engines, so I don't mind fixing it. But it raises the question that I often think of when these kinds of issues come up:

Why would someone want to do this? You are essentially creating an array, and then making it behave like an arbitrary object. Is that important?

Is the theory that, by doing this, the array will perform differently than an ordinary object? Or is it just one of the millions of ways to be clever with JavaScript?