From 3cc8730024690236ba933346c49f778fca457d92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= Date: Wed, 26 Oct 2016 12:04:49 +0200 Subject: [PATCH] Bug 1312948: Put assertions in place to know we're not mutating the length when the array is frozen. r=nbp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MozReview-Commit-ID: 84X0Sgm7pGe Signed-off-by: Emilio Cobos Álvarez --- js/src/vm/ArrayObject-inl.h | 1 + 1 file changed, 1 insertion(+) diff --git a/js/src/vm/ArrayObject-inl.h b/js/src/vm/ArrayObject-inl.h index c83e7b676033..d5f8b82eae0a 100644 --- a/js/src/vm/ArrayObject-inl.h +++ b/js/src/vm/ArrayObject-inl.h @@ -23,6 +23,7 @@ inline void ArrayObject::setLength(ExclusiveContext* cx, uint32_t length) { MOZ_ASSERT(lengthIsWritable()); + MOZ_ASSERT_IF(length != getElementsHeader()->length, !denseElementsAreFrozen()); if (length > INT32_MAX) { /* Track objects with overflowing lengths in type information. */