Fix for Issue 10782: Bug in semantics of ArraySetLength.

Added a comparison to throw a TypeError when the "enumerable"
field of the new descriptor doesn't match the one of the old descriptor.

Bug: v8:10782
Change-Id: I2f1acf215e597b85be5d29e22c006cbd79afcb47
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2818067
Commit-Queue: Luis Fernando Pardo Sixtos <lpardosixtos@microsoft.com>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73941}

src/objects/objects.cc

@@ -3370,10 +3370,13 @@ Maybe<bool> JSArray::ArraySetLength(Isolate* isolate, Handle<JSArray> a,
   }
   // 13. If oldLenDesc.[[Writable]] is false, return false.
   if (!old_len_desc.writable() ||
-      // Also handle the {configurable: true} case since we later use
-      // JSArray::SetLength instead of OrdinaryDefineOwnProperty to change
-      // the length, and it doesn't have access to the descriptor anymore.
-      new_len_desc->configurable()) {
+      // Also handle the {configurable: true} and enumerable changes
+      // since we later use JSArray::SetLength instead of
+      // OrdinaryDefineOwnProperty to change the length,
+      // and it doesn't have access to the descriptor anymore.
+      new_len_desc->configurable() ||
+      (new_len_desc->has_enumerable() &&
+       (old_len_desc.enumerable() != new_len_desc->enumerable()))) {
     RETURN_FAILURE(isolate, GetShouldThrow(isolate, should_throw),
                    NewTypeError(MessageTemplate::kRedefineDisallowed,
                                 isolate->factory()->length_string()));

test/mjsunit/regress-10782.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {
+  let x = [0,0,0,0,0];
+  Object.defineProperty(x, 'length', {value : 4, enumerable : true});
+}
+
+assertThrows(f, TypeError);