Added access check to SetNormalizedProperty which is used from runtime DefineOrRedefineDataProperty.

Review URL: http://codereview.chromium.org/647010

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3900 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/objects.cc

@@ -2000,10 +2000,12 @@ Object* JSObject::IgnoreAttributesAndSetLocalProperty(
   if (!result->IsLoaded()) {
     return SetLazyProperty(result, name, value, attributes);
   }
+  PropertyDetails details = PropertyDetails(attributes, NORMAL);
+
   // Check of IsReadOnly removed from here in clone.
   switch (result->type()) {
     case NORMAL:
-      return SetNormalizedProperty(result, value);
+      return SetNormalizedProperty(name, value, details);
     case FIELD:
       return FastPropertyAtPut(result->GetFieldIndex(), value);
     case MAP_TRANSITION:

src/runtime.cc

@@ -2926,12 +2926,14 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) {
   // correctly in the case where a property is a field and is reset with
   // new attributes.
   if (result.IsProperty() && attr != result.GetAttributes()) {
-    PropertyDetails details = PropertyDetails(attr, NORMAL);
     // New attributes - normalize to avoid writing to instance descriptor
-    js_object->NormalizeProperties(KEEP_INOBJECT_PROPERTIES, 0);
-    return js_object->SetNormalizedProperty(*name, *obj_value, details);
+    js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
+    // Use IgnoreAttributes version since a readonly property may be
+    // overridden and SetProperty does not allow this.
+    return js_object->IgnoreAttributesAndSetLocalProperty(*name,
+                                                          *obj_value,
+                                                          attr);
   }
-
   return Runtime::SetObjectProperty(js_object, name, obj_value, attr);
 }