[INFER] Fix bogus assert in array_pop_dense, bug 657245.
authorBrian Hackett <bhackett1024@gmail.com>
Sun, 15 May 2011 22:08:10 -0700
changeset 75058 2649e0f0049f9f6a39541b19a00a88b4f97b318b
parent 75057 6d27f6e4e07ad311b223627ee023ee88e5152a29
child 75059 efe5cf75d0337d15e95061dcba32e584cb29a8c9
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs657245
milestone6.0a1
[INFER] Fix bogus assert in array_pop_dense, bug 657245.
js/src/jit-test/tests/basic/bug657245.js
js/src/jsarray.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug657245.js
@@ -0,0 +1,4 @@
+
+var length = 4294967295;
+var array1 = Array(length);
+array1.pop();
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2368,17 +2368,17 @@ array_pop_dense(JSContext *cx, JSObject*
         return JS_FALSE;
     if (hole)
         cx->markTypeCallerUnexpected(TYPE_UNDEFINED);
     if (!hole && DeleteArrayElement(cx, obj, index, true) < 0)
         return JS_FALSE;
 
     if (cx->typeInferenceEnabled() && obj->getDenseArrayInitializedLength() > index)
         obj->setDenseArrayInitializedLength(index);
-    obj->setDenseArrayLength(index);
+    obj->setArrayLength(cx, index);
     return JS_TRUE;
 }
 
 JSBool
 js::array_pop(JSContext *cx, uintN argc, Value *vp)
 {
     JSObject *obj = ToObject(cx, &vp[1]);
     if (!obj)