Fix ArrayLengthSetter to not throw on non-extensible receivers.

BUG=v8:3460
LOG=n
R=ishell@chromium.org

Review URL: https://codereview.chromium.org/411983003

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@22576 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/accessors.cc

@@ -174,13 +174,16 @@ void Accessors::ArrayLengthSetter(
     const v8::PropertyCallbackInfo<void>& info) {
   i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate());
   HandleScope scope(isolate);
-  Handle<JSObject> object = Handle<JSObject>::cast(
-      Utils::OpenHandle(*info.This()));
+  Handle<JSObject> object = Utils::OpenHandle(*info.This());
   Handle<Object> value = Utils::OpenHandle(*val);
   // This means one of the object's prototypes is a JSArray and the
   // object does not have a 'length' property.  Calling SetProperty
   // causes an infinite loop.
   if (!object->IsJSArray()) {
+    // This behaves sloppy since we lost the actual strict-mode.
+    // TODO(verwaest): Fix by making ExecutableAccessorInfo behave like data
+    // properties.
+    if (!object->map()->is_extensible()) return;
     MaybeHandle<Object> maybe_result = JSObject::SetOwnPropertyIgnoreAttributes(
         object, isolate->factory()->length_string(), value, NONE);
     maybe_result.Check();

test/mjsunit/regress/regress-mask-array-length.js

@@ -0,0 +1,10 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [];
+var o = {
+  __proto__: a
+};
+Object.preventExtensions(o);
+o.length = 'abc';