diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp index f3117a47a47..94e76452f15 100644 --- a/js/src/jsobj.cpp +++ b/js/src/jsobj.cpp @@ -548,6 +548,19 @@ js::SetIntegrityLevel(JSContext* cx, HandleObject obj, IntegrityLevel level) MOZ_ASSERT(nobj->lastProperty()->slotSpan() == last->slotSpan()); JS_ALWAYS_TRUE(nobj->setLastProperty(cx, last)); + + // Ordinarily ArraySetLength handles this, but we're going behind its back + // right now, so we must do this manually. + // + // ArraySetLength also implements the capacity <= length invariant for + // arrays with non-writable length. We don't need to do anything special + // for that, because capacity was zeroed out by preventExtensions. (See + // the assertion about getDenseCapacity above.) + if (level == IntegrityLevel::Frozen && obj->is()) { + if (!obj->as().maybeCopyElementsForWrite(cx)) + return false; + obj->as().getElementsHeader()->setNonwritableArrayLength(); + } } else { RootedId id(cx); Rooted desc(cx); @@ -586,21 +599,6 @@ js::SetIntegrityLevel(JSContext* cx, HandleObject obj, IntegrityLevel level) } } - // Ordinarily ArraySetLength handles this, but we're going behind its back - // right now, so we must do this manually. Neither the custom property - // tree mutations nor the DefineProperty call in the above code will do - // this for us. - // - // ArraySetLength also implements the capacity <= length invariant for - // arrays with non-writable length. We don't need to do anything special - // for that, because capacity was zeroed out by preventExtensions. (See - // the assertion before the if-else above.) - if (level == IntegrityLevel::Frozen && obj->is()) { - if (!obj->as().maybeCopyElementsForWrite(cx)) - return false; - obj->as().getElementsHeader()->setNonwritableArrayLength(); - } - return true; }