Bug 1605143 - Part 1: Splice prototype to ensure we don't mark the object as having unknown properties. r=jandem

Differential Revision: https://phabricator.services.mozilla.com/D58803

--HG--
extra : moz-landing-system : lando

js/src/vm/JSFunction-inl.h

@@ -63,11 +63,27 @@ inline JSFunction* CloneFunctionObjectIfNotSingleton(
    * the function's script.
    */
   if (CanReuseFunctionForClone(cx, fun)) {
-    ObjectOpResult succeeded;
+    if (proto && proto != fun->staticPrototype()) {
-    if (proto && !SetPrototype(cx, fun, proto, succeeded)) {
+      // |CanReuseFunctionForClone| ensures |fun| is a singleton function. |fun|
-      return nullptr;
+      // must also be extensible and have a mutable prototype for its prototype
+      // to be modifiable, so assert both conditions, too.
+      MOZ_ASSERT(fun->isSingleton());
+      MOZ_ASSERT(!fun->staticPrototypeIsImmutable());
+      MOZ_ASSERT(fun->isExtensible());
+
+      if (!JSObject::setDelegate(cx, proto)) {
+        return nullptr;
+      }
+
+      // Directly splice the prototype instead of calling |js::SetPrototype| to
+      // ensure we don't mark the function as having "unknown properties". This
+      // is safe to do, because the singleton function hasn't yet been exposed
+      // to scripts.
+      Rooted<TaggedProto> tagged(cx, TaggedProto(proto));
+      if (!JSObject::splicePrototype(cx, fun, tagged)) {
+        return nullptr;
+      }
     }
-    MOZ_ASSERT(!proto || succeeded);
     fun->setEnvironment(parent);
     return fun;
   }