Bug 1190733 - Test initializedLength() instead of length() during the fast path for reversing unboxed arrays, r=jandem.

2024-09-13 09:24:08 -07:00 · 2015-08-21 11:40:15 -06:00 · 2015-08-21 11:40:15 -06:00 · 70ad93600d
commit 70ad93600d
parent 16c882549c
2 changed files with 9 additions and 2 deletions
--- a/js/src/jit-test/tests/basic/bug1190733.js
+++ b/js/src/jit-test/tests/basic/bug1190733.js
@ -0,0 +1,7 @@
+
+x = [];
+Array.prototype.push.call(x, Uint8ClampedArray);
+(function() {
+    x.length = 9;
+})();
+Array.prototype.reverse.call(x);
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -1250,10 +1250,10 @@ ArrayReverseDenseKernel(JSContext* cx, HandleObject obj, uint32_t length)
        /* Fill out the array's initialized length to its proper length. */
        obj->as<NativeObject>().ensureDenseInitializedLength(cx, length, 0);
    } else {
-        // Unboxed arrays can only be reversed if their initialized length
+        // Unboxed arrays can only be reversed here if their initialized length
        // matches their actual length. Otherwise the reversal will place holes
        // at the beginning of the array, which we don't support.
-        if (length != obj->as<UnboxedArrayObject>().length())
+        if (length != obj->as<UnboxedArrayObject>().initializedLength())
            return DenseElementResult::Incomplete;
    }