4bf28a33ee
This CL fixes two bugs. First, when looking for a free spot while moving elements to the front, the prototype chain was also considered, even though an object at a specific index might have a hole (free spot). Second, when moving an element to the front, we are not allowed to delete it immediately (to preserve semantics when interacting with non-extensible objects). Such an element is then a free spot, but won't be recognised as such. This CL sets that element to undefined after it was moved, to mark it as a free spot. R=jgruber@chromium.org Bug: chromium:897512,v8:8369 Change-Id: I79207215b8b0a3c714f064450d8fe5ca0ea4a096 Reviewed-on: https://chromium-review.googlesource.com/c/1417171 Commit-Queue: Simon Zünd <szuend@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#58878}
24 lines
606 B
JavaScript
24 lines
606 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Fill up the Array prototype's elements.
|
|
for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);
|
|
|
|
// Create a holey double elements array.
|
|
const o31 = [1.1];
|
|
o31[37] = 2.2;
|
|
|
|
// Concat converts to dictionary elements.
|
|
const o51 = o31.concat(false);
|
|
|
|
// Set one element to undefined to trigger the movement bug.
|
|
o51[0] = undefined;
|
|
|
|
assertEquals(o51.length, 39);
|
|
|
|
// Sort triggers the bug.
|
|
o51.sort();
|
|
|
|
assertEquals(o51.length, 39);
|