Array.prototype.slice should only normalize result if it's an array

R=cbruni@chromium.org BUG=chromium:618788 Review-Url: https://codereview.chromium.org/2058013002 Cr-Commit-Position: refs/heads/master@{#36955}
2016-06-14 02:37:53 -07:00 · 2016-06-14 02:37:53 -07:00 · 56ea2f9731
commit 56ea2f9731
parent 46020a2d12
2 changed files with 9 additions and 1 deletions
--- a/src/js/array.js
+++ b/src/js/array.js
@ -659,7 +659,7 @@ function ArraySlice(start, end) {

  if (UseSparseVariant(array, len, IS_ARRAY(array), end_i - start_i)) {
    %NormalizeElements(array);
-    %NormalizeElements(result);
+    if (IS_ARRAY(result)) %NormalizeElements(result);
    SparseSlice(array, start_i, end_i - start_i, len, result);
  } else {
    SimpleSlice(array, start_i, end_i - start_i, len, result);
--- a/test/mjsunit/regress/regress-crbug-618788.js
+++ b/test/mjsunit/regress/regress-crbug-618788.js
@ -0,0 +1,8 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = new Array();
+a.constructor = Int32Array;
+a.length = 1000; // Make the length >= 1000 so UseSparseVariant returns true.
+assertThrows(() => a.slice());