Bug 1190733 - Test initializedLength() instead of length() during the fast path for reversing unboxed arrays, r=jandem.
authorBrian Hackett <bhackett1024@gmail.com>
Fri, 21 Aug 2015 11:40:15 -0600
changeset 287163 a68f7c9e1fd383a2d739706d1b6b2559338db95d
parent 287162 4520f11055a7abba8d2960c108bc6438f6a53d94
child 287164 e671afb6659132bdc041ceada37d39505240a387
push id4660
push usermartin.thomson@gmail.com
push dateFri, 21 Aug 2015 22:37:38 +0000
reviewersjandem
bugs1190733
milestone43.0a1
Bug 1190733 - Test initializedLength() instead of length() during the fast path for reversing unboxed arrays, r=jandem.
js/src/jit-test/tests/basic/bug1190733.js
js/src/jsarray.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1190733.js
@@ -0,0 +1,7 @@
+
+x = [];
+Array.prototype.push.call(x, Uint8ClampedArray);
+(function() {
+    x.length = 9;
+})();
+Array.prototype.reverse.call(x);
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1245,20 +1245,20 @@ ArrayReverseDenseKernel(JSContext* cx, H
          */
         DenseElementResult result = obj->as<NativeObject>().ensureDenseElements(cx, length, 0);
         if (result != DenseElementResult::Success)
             return result;
 
         /* Fill out the array's initialized length to its proper length. */
         obj->as<NativeObject>().ensureDenseInitializedLength(cx, length, 0);
     } else {
-        // Unboxed arrays can only be reversed if their initialized length
+        // Unboxed arrays can only be reversed here if their initialized length
         // matches their actual length. Otherwise the reversal will place holes
         // at the beginning of the array, which we don't support.
-        if (length != obj->as<UnboxedArrayObject>().length())
+        if (length != obj->as<UnboxedArrayObject>().initializedLength())
             return DenseElementResult::Incomplete;
     }
 
     RootedValue origlo(cx), orighi(cx);
 
     uint32_t lo = 0, hi = length - 1;
     for (; lo < hi; lo++, hi--) {
         origlo = GetBoxedOrUnboxedDenseElement<Type>(obj, lo);