From f030838700a83cde6992cb8ebcb3facc6a8fc1f1 Mon Sep 17 00:00:00 2001
From: Tobias Tebbi <tebbi@chromium.org>
Date: Fri, 23 Jun 2017 13:09:09 +0200
Subject: [PATCH] [runtime] clear array elements when right trimming while
 leaving free space

Bug: chromium:734314
Change-Id: I4e1bd1264c2c4088ce9fdcdbe3b9e233faa516df
Reviewed-on: https://chromium-review.googlesource.com/544990
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46211}
---
 src/elements.cc              | 4 ++++
 test/mjsunit/array-length.js | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/src/elements.cc b/src/elements.cc
index 570d061a48..b2cd27161a 100644
--- a/src/elements.cc
+++ b/src/elements.cc
@@ -777,6 +777,10 @@ class ElementsAccessorBase : public ElementsAccessor {
                                    ? (capacity - length) / 2
                                    : capacity - length;
         isolate->heap()->RightTrimFixedArray(*backing_store, elements_to_trim);
+        // Fill the non-trimmed elements with holes.
+        BackingStore::cast(*backing_store)
+            ->FillWithHoles(length,
+                            std::min(old_length, capacity - elements_to_trim));
       } else {
         // Otherwise, fill the unused tail with holes.
         BackingStore::cast(*backing_store)->FillWithHoles(length, old_length);
diff --git a/test/mjsunit/array-length.js b/test/mjsunit/array-length.js
index ea2a6725b7..0fec92de00 100644
--- a/test/mjsunit/array-length.js
+++ b/test/mjsunit/array-length.js
@@ -43,6 +43,15 @@ assertEquals('undefined', typeof a[2]);
 assertEquals('undefined', typeof a[3]);
 
 
+for(var i = 0; i < 10; i++) {
+      var array = new Array(i).fill(42);
+      array.push(42);
+      array.length = i;
+      array.length = i+1;
+      assertEquals('undefined' , typeof array[i]);
+}
+
+
 var a = new Array();
 a[0] = 0;
 a[1000] = 1000;