Bug 1310744: A frozen element has no writable length. r?nbp
I'm not completely sure this patch is necessary, but seemed logic to me.
MozReview-Commit-ID: Ita4HpkzDUh
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -566,17 +566,18 @@ js::ArraySetLength(JSContext* cx, Handle
}
// Steps 9-11.
bool lengthIsWritable = arr->lengthIsWritable();
#ifdef DEBUG
{
RootedShape lengthShape(cx, arr->lookupPure(id));
MOZ_ASSERT(lengthShape);
- MOZ_ASSERT(lengthShape->writable() == lengthIsWritable);
+ MOZ_ASSERT_IF(lengthIsWritable, lengthShape->writable());
+ MOZ_ASSERT_IF(lengthShape->writable() && !lengthIsWritable, arr->denseElementsAreFrozen());
}
#endif
uint32_t oldLen = arr->length();
// Part of steps 1.a, 12.a, and 16: Fail if we're being asked to change
// enumerability or configurability, or otherwise break the object
// invariants. (ES6 checks these by calling OrdinaryDefineOwnProperty, but
// in SM, the array length property is hardly ordinary.)
--- a/js/src/vm/NativeObject.h
+++ b/js/src/vm/NativeObject.h
@@ -223,17 +223,18 @@ class ObjectElements
// Note: allow isCopyOnWrite() here, see comment above.
flags |= CONVERT_DOUBLE_ELEMENTS;
}
void clearShouldConvertDoubleElements() {
MOZ_ASSERT(!isCopyOnWrite());
flags &= ~CONVERT_DOUBLE_ELEMENTS;
}
bool hasNonwritableArrayLength() const {
- return flags & NONWRITABLE_ARRAY_LENGTH;
+ return flags & NONWRITABLE_ARRAY_LENGTH ||
+ flags & FROZEN;
}
void setNonwritableArrayLength() {
MOZ_ASSERT(!isCopyOnWrite());
flags |= NONWRITABLE_ARRAY_LENGTH;
}
bool isCopyOnWrite() const {
return flags & COPY_ON_WRITE;
}