From 50de15c3a64577f1523ec456df028dc20f539beb Mon Sep 17 00:00:00 2001
From: Gaming4JC <g4jc@hyperbola.info>
Date: Sun, 7 Jul 2019 20:36:27 -0400
Subject: 1317387: The intrinsic %ThrowTypeError% function should be frozen.

---
 js/src/jsfun.cpp | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'js/src/jsfun.cpp')

diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp
index 3453a59e1..470746d50 100644
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -861,6 +861,28 @@ CreateFunctionPrototype(JSContext* cx, JSProtoKey key)
     if (!throwTypeError || !PreventExtensions(cx, throwTypeError))
         return nullptr;
 
+    // The "length" property of %ThrowTypeError% is non-configurable, adjust
+    // the default property attributes accordingly.
+    Rooted<PropertyDescriptor> nonConfigurableDesc(cx);
+    nonConfigurableDesc.setAttributes(JSPROP_PERMANENT | JSPROP_IGNORE_READONLY |
+                                      JSPROP_IGNORE_ENUMERATE | JSPROP_IGNORE_VALUE);
+
+    RootedId lengthId(cx, NameToId(cx->names().length));
+    ObjectOpResult lengthResult;
+    if (!NativeDefineProperty(cx, throwTypeError, lengthId, nonConfigurableDesc, lengthResult))
+        return nullptr;
+    MOZ_ASSERT(lengthResult);
+
+    // Non-standard: Also change "name" to non-configurable. ECMAScript defines
+    // %ThrowTypeError% as an anonymous function, i.e. it shouldn't actually
+    // get an own "name" property. To be consistent with other built-in,
+    // anonymous functions, we don't delete %ThrowTypeError%'s "name" property.
+    RootedId nameId(cx, NameToId(cx->names().name));
+    ObjectOpResult nameResult;
+    if (!NativeDefineProperty(cx, throwTypeError, nameId, nonConfigurableDesc, nameResult))
+        return nullptr;
+    MOZ_ASSERT(nameResult);
+
     self->setThrowTypeError(throwTypeError);
 
     return functionProto;
-- 
cgit v1.2.3