From d7567c2f79d6a3bf8d76313b06dbbdbe44fe809e Mon Sep 17 00:00:00 2001 From: Brian Hackett Date: Tue, 15 Jan 2013 15:03:44 -0700 Subject: [PATCH] Bug 830967 - Don't skip sparse elements in 'this' when optimizing Array.concat, r=billm. --- js/src/jit-test/tests/basic/bug830967.js | 4 ++++ js/src/jsarray.cpp | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 js/src/jit-test/tests/basic/bug830967.js diff --git a/js/src/jit-test/tests/basic/bug830967.js b/js/src/jit-test/tests/basic/bug830967.js new file mode 100644 index 00000000000..e52892f645a --- /dev/null +++ b/js/src/jit-test/tests/basic/bug830967.js @@ -0,0 +1,4 @@ +var x = Array.concat(Object.freeze([{}])); +assertEq(x.length, 1); +assertEq(0 in x, true); +assertEq(JSON.stringify(x[0]), "{}"); diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index 30fa23221e6..5c9a6b11519 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2022,7 +2022,7 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp) RootedObject nobj(cx); uint32_t length; - if (aobj->isArray()) { + if (aobj->isArray() && !aobj->isIndexed()) { length = aobj->getArrayLength(); uint32_t initlen = aobj->getDenseInitializedLength(); nobj = NewDenseCopiedArray(cx, initlen, aobj, 0); @@ -2602,6 +2602,8 @@ JSObject * js::NewDenseCopiedArray(JSContext *cx, uint32_t length, HandleObject src, uint32_t elementOffset, RawObject proto /* = NULL */) { + JS_ASSERT(!src->isIndexed()); + JSObject* obj = NewArray(cx, length, proto); if (!obj) return NULL;