From 71956a76432a15d295826af4ec8f4260336bd64b Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Mon, 5 Oct 2015 10:18:05 -0600
Subject: [PATCH] Bug 1210596 - Mark array groups as not packed when
 initializing individual elements with holes, r=jandem.

---
 js/src/jit-test/tests/basic/bug1210596.js | 4 ++++
 js/src/vm/NativeObject-inl.h              | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 js/src/jit-test/tests/basic/bug1210596.js

diff --git a/js/src/jit-test/tests/basic/bug1210596.js b/js/src/jit-test/tests/basic/bug1210596.js
new file mode 100644
index 00000000000..5efea9fccf5
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1210596.js
@@ -0,0 +1,4 @@
+var count = 0;
+var a = Array.prototype.concat.call([], [, []], []);
+a.forEach(function() { count++; });
+assertEq(count, 1);
diff --git a/js/src/vm/NativeObject-inl.h b/js/src/vm/NativeObject-inl.h
index 8ac7800dd21..5b51fb1275f 100644
--- a/js/src/vm/NativeObject-inl.h
+++ b/js/src/vm/NativeObject-inl.h
@@ -79,7 +79,10 @@ inline void
 NativeObject::initDenseElementWithType(ExclusiveContext* cx, uint32_t index, const Value& val)
 {
     MOZ_ASSERT(!shouldConvertDoubleElements());
-    AddTypePropertyId(cx, this, JSID_VOID, val);
+    if (val.isMagic(JS_ELEMENTS_HOLE))
+        markDenseElementsNotPacked(cx);
+    else
+        AddTypePropertyId(cx, this, JSID_VOID, val);
     initDenseElement(index, val);
 }