Bug 631098 - Ensure slow arrays always have a length property. r=brendan, a=b

2024-09-13 09:24:08 -07:00 · 2011-02-03 11:04:14 -08:00 · 2011-02-03 11:04:14 -08:00 · e8e463d19c
commit e8e463d19c
parent 7f57bd46bb
1 changed files with 12 additions and 4 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -1001,6 +1001,16 @@ Class js_SlowArrayClass = {
    js_TryValueOf
 };

+static bool
+AddLengthProperty(JSContext *cx, JSObject *obj)
+{
+    const jsid lengthId = ATOM_TO_JSID(cx->runtime->atomState.lengthAtom);
+    JS_ASSERT(!obj->nativeLookup(lengthId));
+
+    return obj->addProperty(cx, lengthId, array_length_getter, array_length_setter,
+                            SHAPE_INVALID_SLOT, JSPROP_PERMANENT | JSPROP_SHARED, 0, 0);
+}
+
 /*
 * Convert an array object from fast-and-dense to slow-and-flexible.
 */
@ -1027,9 +1037,7 @@ JSObject::makeDenseArraySlow(JSContext *cx)
     * Begin with the length property to share more of the property tree.
     * The getter/setter here will directly access the object's private value.
     */
-    if (!addProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.lengthAtom),
-                     array_length_getter, array_length_setter,
-                     SHAPE_INVALID_SLOT, JSPROP_PERMANENT | JSPROP_SHARED, 0, 0)) {
+    if (!AddLengthProperty(cx, this)) {
        setMap(oldMap);
        return false;
    }
@ -3088,7 +3096,7 @@ JSObject *
 NewSlowEmptyArray(JSContext *cx)
 {
    JSObject *obj = NewNonFunction<WithProto::Class>(cx, &js_SlowArrayClass, NULL, NULL);
-    if (!obj)
+    if (!obj || !AddLengthProperty(cx, obj))
        return NULL;

    obj->setArrayLength(0);