Index: src/ic.cc |
diff --git a/src/ic.cc b/src/ic.cc |
index dc15194ec94432419b73f1d8c74bcad458e5c305..f10e74803926ef7c7252586af323d1455b7c49af 100644 |
--- a/src/ic.cc |
+++ b/src/ic.cc |
@@ -1651,12 +1651,14 @@ MaybeObject* StoreIC::Store(State state, |
// Use specialized code for setting the length of arrays with fast |
// properties. Slow properties might indicate redefinition of the length |
- // property. |
+ // property. Note that when redefined using Object.freeze, it's possible |
+ // to have fast properties but a read-only length. |
if (FLAG_use_ic && |
receiver->IsJSArray() && |
name->Equals(isolate()->heap()->length_string()) && |
Handle<JSArray>::cast(receiver)->AllowsSetElementsLength() && |
- receiver->HasFastProperties()) { |
+ receiver->HasFastProperties() && |
+ !receiver->map()->is_frozen()) { |
Handle<Code> stub = |
StoreArrayLengthStub(kind(), strict_mode).GetCode(isolate()); |
set_target(*stub); |