Bug 631219: define property instead of setting it in ArgSetter, r=brendan
authorDavid Mandelin <dmandelin@mozilla.com>
Thu, 03 Feb 2011 15:11:21 -0800
changeset 62073 13ddee17c69141e356ec0baca64629dfde31d352
parent 62072 d461afeeae3def4eed95d55184296e3682540ff6
child 62074 10df92bfb41443af53586fa5dc0d73fbad4e70d0
push idunknown
push userunknown
push dateunknown
reviewersbrendan
bugs631219
milestone2.0b11pre
Bug 631219: define property instead of setting it in ArgSetter, r=brendan
js/src/jit-test/tests/basic/bug631219.js
js/src/jsfun.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug631219.js
@@ -0,0 +1,10 @@
+// don't assert or crash
+function g(o) {
+    o.__proto__ = arguments;
+    o.length = 123;
+}
+function f() {
+    g(arguments);
+}
+f();
+
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -575,24 +575,26 @@ ArgSetter(JSContext *cx, JSObject *obj, 
             }
         }
     } else {
         JS_ASSERT(JSID_IS_ATOM(id, cx->runtime->atomState.lengthAtom) ||
                   JSID_IS_ATOM(id, cx->runtime->atomState.calleeAtom));
     }
 
     /*
-     * For simplicity we use delete/set to replace the property with one
+     * For simplicity we use delete/define to replace the property with one
      * backed by the default Object getter and setter. Note that we rely on
      * args_delProperty to clear the corresponding reserved slot so the GC can
-     * collect its value.
+     * collect its value. Note also that we must define the property instead
+     * of setting it in case the user has changed the prototype to an object
+     * that has a setter for this id.
      */
     AutoValueRooter tvr(cx);
     return js_DeleteProperty(cx, obj, id, tvr.addr(), false) &&
-           js_SetProperty(cx, obj, id, vp, false);
+           js_DefineProperty(cx, obj, id, vp, NULL, NULL, JSPROP_ENUMERATE);
 }
 
 static JSBool
 args_resolve(JSContext *cx, JSObject *obj, jsid id, uintN flags,
              JSObject **objp)
 {
     JS_ASSERT(obj->isNormalArguments());