[runtime] clear array elements when right trimming while leaving free space

Bug: chromium:734314
Change-Id: I4e1bd1264c2c4088ce9fdcdbe3b9e233faa516df
Reviewed-on: https://chromium-review.googlesource.com/544990
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46211}
This commit is contained in:
Tobias Tebbi 2017-06-23 13:09:09 +02:00 committed by Commit Bot
parent cd2dda8d50
commit f030838700
2 changed files with 13 additions and 0 deletions

View File

@ -777,6 +777,10 @@ class ElementsAccessorBase : public ElementsAccessor {
? (capacity - length) / 2 ? (capacity - length) / 2
: capacity - length; : capacity - length;
isolate->heap()->RightTrimFixedArray(*backing_store, elements_to_trim); isolate->heap()->RightTrimFixedArray(*backing_store, elements_to_trim);
// Fill the non-trimmed elements with holes.
BackingStore::cast(*backing_store)
->FillWithHoles(length,
std::min(old_length, capacity - elements_to_trim));
} else { } else {
// Otherwise, fill the unused tail with holes. // Otherwise, fill the unused tail with holes.
BackingStore::cast(*backing_store)->FillWithHoles(length, old_length); BackingStore::cast(*backing_store)->FillWithHoles(length, old_length);

View File

@ -43,6 +43,15 @@ assertEquals('undefined', typeof a[2]);
assertEquals('undefined', typeof a[3]); assertEquals('undefined', typeof a[3]);
for(var i = 0; i < 10; i++) {
var array = new Array(i).fill(42);
array.push(42);
array.length = i;
array.length = i+1;
assertEquals('undefined' , typeof array[i]);
}
var a = new Array(); var a = new Array();
a[0] = 0; a[0] = 0;
a[1000] = 1000; a[1000] = 1000;