Bug 1373356 - Fix NativeObject::sparsifyDenseElements to discard shifted elements. r=anba, a=jcristau
authorJan de Mooij <jdemooij@mozilla.com>
Tue, 27 Jun 2017 09:28:52 -0700
changeset 414129 99aa29fad80917c3685efb37f79c4d9fe592787d
parent 414128 13f6c960bb2584ad1dcdc064c93d30c36fe8469a
child 414130 bbf775f1de45e9d512ebd08e8e9efceadf948d94
push id1490
push usermtabara@mozilla.com
push dateMon, 31 Jul 2017 14:08:16 +0000
treeherdermozilla-release@70e32e6bf15e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersanba, jcristau
bugs1373356
milestone55.0
Bug 1373356 - Fix NativeObject::sparsifyDenseElements to discard shifted elements. r=anba, a=jcristau
js/src/jit-test/tests/basic/bug1373356.js
js/src/vm/NativeObject.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1373356.js
@@ -0,0 +1,6 @@
+// |jit-test| error:TypeError
+x = [0, 0];
+x.shift();
+x.pop();
+Object.preventExtensions(x);
+x.unshift(0);
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@@ -544,21 +544,23 @@ NativeObject::sparsifyDenseElements(JSCo
 
         if (!sparsifyDenseElement(cx, obj, i))
             return false;
     }
 
     if (initialized)
         obj->setDenseInitializedLengthUnchecked(0);
 
-    /*
-     * Reduce storage for dense elements which are now holes. Explicitly mark
-     * the elements capacity as zero, so that any attempts to add dense
-     * elements will be caught in ensureDenseElements.
-     */
+    // Reduce storage for dense elements which are now holes. Explicitly mark
+    // the elements capacity as zero, so that any attempts to add dense
+    // elements will be caught in ensureDenseElements.
+
+    if (obj->getElementsHeader()->numShiftedElements() > 0)
+        obj->moveShiftedElements();
+
     if (obj->getDenseCapacity()) {
         obj->shrinkElements(cx, 0);
         obj->getElementsHeader()->capacity = 0;
     }
 
     return true;
 }