From 1c594e8314a7d7147dd12422c89678a711ffdfe2 Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Mon, 23 Mar 2015 14:32:33 -0500
Subject: [PATCH] Bug 1148652, part 3 - Mark arguments.length as overridden
 when it is redefined via the C API. r=efaust.

---
 js/src/vm/NativeObject.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp
index f86a6b6bb87..7ec3020733a 100644
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -1309,6 +1309,16 @@ js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
                 return false;
             return DefineTypedArrayElement(cx->asJSContext(), obj, index, desc_, result);
         }
+    } else if (obj->is<ArgumentsObject>()) {
+        if (id == NameToId(cx->names().length)) {
+            // Either we are resolving the .length property on this object, or
+            // redefining it. In the latter case only, we must set a bit. To
+            // distinguish the two cases, we note that when resolving, the
+            // property won't already exist; whereas the first time it is
+            // redefined, it will.
+            if (obj->containsPure(id))
+                obj->as<ArgumentsObject>().markLengthOverridden();
+        }
     }
 
     Rooted<PropertyDescriptor> desc(cx, desc_);