From: ricow@chromium.org <ricow@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 18 Feb 2010 13:13:21 +0000 (+0000)
Subject: Added access check to SetNormalizedProperty which is used from runtime DefineOrRedefi... 
X-Git-Tag: upstream/4.7.83~22443
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0d6fe0a44f59cba02be26d8c124d7d9e4958f2f3;p=platform%2Fupstream%2Fv8.git

Added access check to SetNormalizedProperty which is used from runtime DefineOrRedefineDataProperty.

Review URL: http://codereview.chromium.org/647010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3900 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---

diff --git a/src/objects.cc b/src/objects.cc
index 7b435ba..d6b5ce7 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -2000,10 +2000,12 @@ Object* JSObject::IgnoreAttributesAndSetLocalProperty(
   if (!result->IsLoaded()) {
     return SetLazyProperty(result, name, value, attributes);
   }
+  PropertyDetails details = PropertyDetails(attributes, NORMAL);
+
   // Check of IsReadOnly removed from here in clone.
   switch (result->type()) {
     case NORMAL:
-      return SetNormalizedProperty(result, value);
+      return SetNormalizedProperty(name, value, details);
     case FIELD:
       return FastPropertyAtPut(result->GetFieldIndex(), value);
     case MAP_TRANSITION:
diff --git a/src/runtime.cc b/src/runtime.cc
index 2a6715a..4722008 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -2926,12 +2926,14 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) {
   // correctly in the case where a property is a field and is reset with
   // new attributes.
   if (result.IsProperty() && attr != result.GetAttributes()) {
-    PropertyDetails details = PropertyDetails(attr, NORMAL);
     // New attributes - normalize to avoid writing to instance descriptor
-    js_object->NormalizeProperties(KEEP_INOBJECT_PROPERTIES, 0);
-    return js_object->SetNormalizedProperty(*name, *obj_value, details);
+    js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
+    // Use IgnoreAttributes version since a readonly property may be
+    // overridden and SetProperty does not allow this.
+    return js_object->IgnoreAttributesAndSetLocalProperty(*name,
+                                                          *obj_value,
+                                                          attr);
   }
-
   return Runtime::SetObjectProperty(js_object, name, obj_value, attr);
 }