Bug 1461272 - Add missing sealed elements check to ArraySetLength fast path. r=anba

--HG--
extra : rebase_source : 9eb9d4f1ce3c3f24025feccb4d7859f6472982dc

js/src/builtin/Array.cpp

@@ -780,7 +780,9 @@ js::ArraySetLength(JSContext* cx, Handle<ArrayObject*> arr, HandleId id,
         // for..in iteration over the array. Keys deleted before being reached
         // during the iteration must not be visited, and suppressing them here
         // would be too costly.
-        if (!arr->isIndexed() && !MaybeInIteration(arr, cx)) {
+        // This optimization is also invalid when there are sealed
+        // (non-configurable) elements.
+        if (!arr->isIndexed() && !MaybeInIteration(arr, cx) && !arr->denseElementsAreSealed()) {
             if (!arr->maybeCopyElementsForWrite(cx))
                 return false;
 

js/src/jit-test/tests/basic/non-extensible-elements7.js

@@ -0,0 +1,42 @@
+// Test array.length setter on non-extensible/sealed/frozen arrays.
+"use strict";
+
+load(libdir + "asserts.js");
+
+function testNonExtensible() {
+    var a = [1, 2, 3, , ,];
+    Object.preventExtensions(a);
+    for (var i = 0; i < 10; i++)
+        a.length = 10;
+    assertEq(a.length, 10);
+    for (var i = 0; i < 10; i++)
+        a.length = 0;
+    assertEq(a.length, 0);
+    assertEq(a.toString(), "");
+}
+testNonExtensible();
+
+function testSealed() {
+    var a = [1, 2, 3, , ,];
+    Object.seal(a);
+    for (var i = 0; i < 10; i++)
+        a.length = 10;
+    assertEq(a.length, 10);
+    for (var i = 0; i < 10; i++)
+        assertThrowsInstanceOf(() => a.length = 0, TypeError);
+    assertEq(a.length, 3);
+    assertEq(a.toString(), "1,2,3");
+}
+testSealed();
+
+function testFrozen() {
+    var a = [1, 2, 3, , ,];
+    Object.freeze(a);
+    for (var i = 0; i < 10; i++)
+        assertThrowsInstanceOf(() => a.length = 10, TypeError);
+    for (var i = 0; i < 10; i++)
+        assertThrowsInstanceOf(() => a.length = 0, TypeError);
+    assertEq(a.length, 5);
+    assertEq(a.toString(), "1,2,3,,");
+}
+testFrozen();