diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp index f86a6b6bb87..7ec3020733a 100644 --- a/js/src/vm/NativeObject.cpp +++ b/js/src/vm/NativeObject.cpp @@ -1309,6 +1309,16 @@ js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId return false; return DefineTypedArrayElement(cx->asJSContext(), obj, index, desc_, result); } + } else if (obj->is()) { + if (id == NameToId(cx->names().length)) { + // Either we are resolving the .length property on this object, or + // redefining it. In the latter case only, we must set a bit. To + // distinguish the two cases, we note that when resolving, the + // property won't already exist; whereas the first time it is + // redefined, it will. + if (obj->containsPure(id)) + obj->as().markLengthOverridden(); + } } Rooted desc(cx, desc_);