Bug 1247701 - Bail from ArrayShiftDenseKernel if the array is used by for-in iteration. r=jandem

2024-09-13 09:24:08 -07:00 · 2016-02-17 01:40:18 +09:00 · 2016-02-17 01:40:18 +09:00 · 1a37539d6e
commit 1a37539d6e
parent 3c56a94034
2 changed files with 21 additions and 7 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -2138,6 +2138,13 @@ ArrayShiftDenseKernel(JSContext* cx, JSObject* obj, Value* rval)
    if (ObjectMayHaveExtraIndexedProperties(obj))
        return DenseElementResult::Incomplete;

+    ObjectGroup* group = obj->getGroup(cx);
+    if (MOZ_UNLIKELY(!group))
+        return DenseElementResult::Failure;
+
+    if (MOZ_UNLIKELY(group->hasAllFlags(OBJECT_FLAG_ITERATED)))
+        return DenseElementResult::Incomplete;
+
    size_t initlen = GetBoxedOrUnboxedInitializedLength<Type>(obj);
    if (initlen == 0)
        return DenseElementResult::Incomplete;
@ -2195,13 +2202,7 @@ js::array_shift(JSContext* cx, unsigned argc, Value* vp)
        if (result == DenseElementResult::Failure)
            return false;

-        if (!SetLengthProperty(cx, obj, newlen))
-            return false;
-
-        RootedId id(cx);
-        if (!IndexToId(cx, newlen, &id))
-            return false;
-        return SuppressDeletedProperty(cx, obj, id);
+        return SetLengthProperty(cx, obj, newlen);
    }

    /* Steps 5, 10. */
--- a/js/src/tests/ecma_6/Array/shift_for_in.js
+++ b/js/src/tests/ecma_6/Array/shift_for_in.js
@ -0,0 +1,13 @@
+var BUGNUMBER = 1247701;
+var summary = 'Array.prototype.shift on a dense array with holes should update for-in enumeration properties.';
+
+print(BUGNUMBER + ": " + summary);
+
+var x = ["a", , "b", , "c", "d" , "e", "f", "g"];
+for (var p in x) {
+  assertEq(p in x, true);
+  x.shift();
+}
+
+if (typeof reportCompare === "function")
+  reportCompare(true, true);