[runtime] clear array elements when right trimming while leaving free space

Bug: chromium:734314 Change-Id: I4e1bd1264c2c4088ce9fdcdbe3b9e233faa516df Reviewed-on: https://chromium-review.googlesource.com/544990 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#46211}
2017-06-23 13:09:09 +02:00 · 2017-06-23 13:09:09 +02:00 · f030838700
commit f030838700
parent cd2dda8d50
2 changed files with 13 additions and 0 deletions
--- a/src/elements.cc
+++ b/src/elements.cc
@ -777,6 +777,10 @@ class ElementsAccessorBase : public ElementsAccessor {
                                   ? (capacity - length) / 2
                                   : capacity - length;
        isolate->heap()->RightTrimFixedArray(*backing_store, elements_to_trim);
+        // Fill the non-trimmed elements with holes.
+        BackingStore::cast(*backing_store)
+            ->FillWithHoles(length,
+                            std::min(old_length, capacity - elements_to_trim));
      } else {
        // Otherwise, fill the unused tail with holes.
        BackingStore::cast(*backing_store)->FillWithHoles(length, old_length);
--- a/test/mjsunit/array-length.js
+++ b/test/mjsunit/array-length.js
@ -43,6 +43,15 @@ assertEquals('undefined', typeof a[2]);
 assertEquals('undefined', typeof a[3]);


+for(var i = 0; i < 10; i++) {
+      var array = new Array(i).fill(42);
+      array.push(42);
+      array.length = i;
+      array.length = i+1;
+      assertEquals('undefined' , typeof array[i]);
+}
+
+
 var a = new Array();
 a[0] = 0;
 a[1000] = 1000;