When using the slow-and-standard path in js::SetIntegrityLevel, don't manually call setNonwritableArrayLength afterwards

RESOLVED FIXED in Firefox 42

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: jorendorff, Assigned: jorendorff)

Tracking

(Blocks 1 bug)

unspecified
mozilla42
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox42 fixed)

Details

Attachments

(1 attachment)

We have this hack:

    // Ordinarily ArraySetLength handles this, but we're going behind its back
    // right now, so we must do this manually.  Neither the custom property
    // tree mutations nor the DefineProperty call in the above code will do
    // this for us.
    //
    // ArraySetLength also implements the capacity <= length invariant for
    // arrays with non-writable length.  We don't need to do anything special
    // for that, because capacity was zeroed out by preventExtensions.  (See
    // the assertion before the if-else above.)
    if (level == IntegrityLevel::Frozen && obj->is<ArrayObject>()) {
        if (!obj->as<ArrayObject>().maybeCopyElementsForWrite(cx))
            return false;
        obj->as<ArrayObject>().getElementsHeader()->setNonwritableArrayLength();
    }

This is no longer necessary in the case where we go through DefineProperty, because with bug 1125624, DefineProperty now has standard behavior. That is: the part of the comment quoted above that refers to DefineProperty is now wrong.
Depends on: 1125624
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Attachment #8613593 - Flags: review?(jwalden+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/81cc971ff1d1
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.