From c9b48e96ec6644dc00d9de5365dd5fae1a2d4c48 Mon Sep 17 00:00:00 2001
From: Mike Stanton <mvstanton@chromium.org>
Date: Fri, 17 May 2019 16:00:58 +0200
Subject: [PATCH] [Torque] Array.prototype.shift correctness fix

Fastpath failed to store the hole on the array left side.

Bug: chromium:940274
Change-Id: I1eca7b241030474cf5aed6c68f155a1d22ae553e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1617255
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61618}
---
 src/builtins/array-shift.tq                  |  1 +
 src/builtins/base.tq                         | 12 ++++++++++++
 test/mjsunit/regress/regress-crbug-940274.js | 11 +++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 test/mjsunit/regress/regress-crbug-940274.js

diff --git a/src/builtins/array-shift.tq b/src/builtins/array-shift.tq
index 9d1175bee4..3c8c1491bb 100644
--- a/src/builtins/array-shift.tq
+++ b/src/builtins/array-shift.tq
@@ -34,6 +34,7 @@ namespace array_shift {
       const result = witness.LoadElementOrUndefined(0);
       witness.ChangeLength(newLength);
       witness.MoveElements(0, 1, Convert<intptr>(newLength));
+      witness.StoreHole(newLength);
       return result;
     }
     label Runtime {
diff --git a/src/builtins/base.tq b/src/builtins/base.tq
index 9e756cb656..b5e04d2d11 100644
--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@@ -2571,6 +2571,18 @@ struct FastJSArrayWitness {
     }
   }
 
+  StoreHole(k: Smi) {
+    if (this.hasDoubles) {
+      const elements = Cast<FixedDoubleArray>(this.unstable.elements)
+          otherwise unreachable;
+      StoreFixedDoubleArrayHoleSmi(elements, k);
+    } else {
+      const elements = Cast<FixedArray>(this.unstable.elements)
+          otherwise unreachable;
+      StoreFixedArrayElement(elements, k, Hole);
+    }
+  }
+
   LoadElementOrUndefined(implicit context: Context)(k: Smi): Object {
     try {
       return this.LoadElementNoHole(k) otherwise FoundHole;
diff --git a/test/mjsunit/regress/regress-crbug-940274.js b/test/mjsunit/regress/regress-crbug-940274.js
new file mode 100644
index 0000000000..da9da318d3
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-940274.js
@@ -0,0 +1,11 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function foo() {
+  var a = new Array({});
+  a.shift();
+  assertFalse(a.hasOwnProperty(0));
+}
+
+foo();