From 7189237c7264a98e0840f77d0127e5060785544a Mon Sep 17 00:00:00 2001
From: Jason Orendorff <jorendorff@mozilla.com>
Date: Thu, 9 Apr 2015 15:55:37 -0500
Subject: [PATCH] Bug 1148750, part 12 - Reject redefinition of non-writable
 non-configurable data property as writable. This fixes bug 1073808. r=efaust.

---
 .../collections/Array-of-nonconfigurable-1.js    |  8 ++++++++
 .../collections/Array-of-nonconfigurable-2.js    | 16 ++++++++++++++++
 js/src/vm/NativeObject.cpp                       |  4 ++++
 3 files changed, 28 insertions(+)
 create mode 100644 js/src/jit-test/tests/collections/Array-of-nonconfigurable-1.js
 create mode 100644 js/src/jit-test/tests/collections/Array-of-nonconfigurable-2.js

diff --git a/js/src/jit-test/tests/collections/Array-of-nonconfigurable-1.js b/js/src/jit-test/tests/collections/Array-of-nonconfigurable-1.js
new file mode 100644
index 00000000000..d516a1a40c8
--- /dev/null
+++ b/js/src/jit-test/tests/collections/Array-of-nonconfigurable-1.js
@@ -0,0 +1,8 @@
+// If Array.of tries to overwrite a non-configurable property, it throws a TypeError.
+
+load(libdir + "asserts.js");
+
+function C() {
+    Object.defineProperty(this, 0, {value: "v", configurable: false});
+}
+assertThrowsInstanceOf(() => Array.of.call(C, 1, 2, 3), TypeError);
diff --git a/js/src/jit-test/tests/collections/Array-of-nonconfigurable-2.js b/js/src/jit-test/tests/collections/Array-of-nonconfigurable-2.js
new file mode 100644
index 00000000000..4b469c47940
--- /dev/null
+++ b/js/src/jit-test/tests/collections/Array-of-nonconfigurable-2.js
@@ -0,0 +1,16 @@
+// Array.of does not overwrite non-configurable properties.
+
+load(libdir + "asserts.js");
+
+var obj;
+function C() {
+    obj = this;
+    Object.defineProperty(this, 0, {value: "v", configurable: false});
+}
+try { Array.of.call(C, 1); } catch (e) {}
+assertDeepEq(Object.getOwnPropertyDescriptor(obj, 0), {
+    configurable: false,
+    enumerable: false,
+    value: "v",
+    writable: false
+});
diff --git a/js/src/vm/NativeObject.cpp b/js/src/vm/NativeObject.cpp
index 0fa2d3f80f5..0559777c996 100644
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -1443,6 +1443,10 @@ js::NativeDefineProperty(ExclusiveContext* cx, HandleNativeObject obj, HandleId
         CompletePropertyDescriptor(&desc);
     } else if (desc.isDataDescriptor()) {
         // Step 8.
+        bool frozen = !IsConfigurable(shapeAttrs) && !IsWritable(shapeAttrs);
+        if (frozen && desc.hasWritable() && desc.writable() && !skipRedefineChecks)
+            return result.fail(JSMSG_CANT_REDEFINE_PROP);
+
         if (desc.hasValue()) {
             // If any other JSPROP_IGNORE_* attributes are present, copy the
             // corresponding JSPROP_* attributes from the existing property.