Bug 686296 - Non-extensible ArrayBuffer __proto__ should not be changable. r=jorendorff
authorTom Schuster <evilpies@gmail.com>
Sat, 21 Jan 2012 19:25:54 +0100
changeset 86291 8a915ca62e05a13dc41939f071d6d185a06c6890
parent 86290 46716e93feb4a7e5d40a0369cf56db0fad1c0b49
child 86292 40bc6b9b09d1742924e7169b71be01d5260a1fd2
push id805
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 18:17:35 +0000
treeherdermozilla-aurora@6fb3bf232436 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs686296
milestone12.0a1
Bug 686296 - Non-extensible ArrayBuffer __proto__ should not be changable. r=jorendorff
js/src/jit-test/tests/basic/bug686296.js
js/src/jstypedarray.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug686296.js
@@ -0,0 +1,3 @@
+load(libdir + "asserts.js");
+var o = Object.preventExtensions(new ArrayBuffer);
+assertThrowsInstanceOf(function () { o.__proto__ = {}; }, TypeError);
--- a/js/src/jstypedarray.cpp
+++ b/js/src/jstypedarray.cpp
@@ -544,16 +544,20 @@ ArrayBuffer::obj_setGeneric(JSContext *c
         JSObject *oldDelegateProto = delegate->getProto();
 
         if (!js_SetPropertyHelper(cx, delegate, id, 0, vp, strict))
             return false;
 
         if (delegate->getProto() != oldDelegateProto) {
             // actual __proto__ was set and not a plain property called
             // __proto__
+            if (!obj->isExtensible()) {
+                obj->reportNotExtensible(cx);
+                return false;
+            }
             if (!SetProto(cx, obj, vp->toObjectOrNull(), true)) {
                 // this can be caused for example by setting x.__proto__ = x
                 // restore delegate prototype chain
                 SetProto(cx, delegate, oldDelegateProto, true);
                 return false;
             }
         }
         return true;