Bug 1312948: Put assertions in place to know we're not mutating the length when the array is frozen. r=nbp
authorEmilio Cobos Álvarez <ecoal95@gmail.com>
Wed, 26 Oct 2016 12:04:49 +0200
changeset 346336 84a1e4dbbbafea5de5b2c4296487293acbc40f47
parent 346335 eb93f0b8c9421af391e2c251ed171b3bd7698eed
child 346337 ca12de12bfe055d00c82db14f67b74a31d3d6548
push id10298
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:33:03 +0000
treeherdermozilla-aurora@7e29173b1641 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnbp
bugs1312948
milestone52.0a1
Bug 1312948: Put assertions in place to know we're not mutating the length when the array is frozen. r=nbp MozReview-Commit-ID: 84X0Sgm7pGe Signed-off-by: Emilio Cobos Álvarez <ecoal95@gmail.com>
js/src/vm/ArrayObject-inl.h
--- a/js/src/vm/ArrayObject-inl.h
+++ b/js/src/vm/ArrayObject-inl.h
@@ -18,16 +18,17 @@
 #include "vm/TypeInference-inl.h"
 
 namespace js {
 
 inline void
 ArrayObject::setLength(ExclusiveContext* cx, uint32_t length)
 {
     MOZ_ASSERT(lengthIsWritable());
+    MOZ_ASSERT_IF(length != getElementsHeader()->length, !denseElementsAreFrozen());
 
     if (length > INT32_MAX) {
         /* Track objects with overflowing lengths in type information. */
         MarkObjectGroupFlags(cx, this, OBJECT_FLAG_LENGTH_OVERFLOW);
     }
 
     getElementsHeader()->length = length;
 }