This correctly fixes the issues addressed in 1405:
9beb9ea093b5.
The initial fix wrongly assumed that the "value" pointer is still valid when
njs_is_fast_array(&state->value) is true and the pointer can be used for
the fast path. This is not the case when the array object is resized.
Moreover, the fast path branch may be completely eliminated because
JSON.parse() with the replacer function is relatively slow by itself.
This closes #323, #324, #325 issues on GitHub.
return ret;
}
- /*
- * The njs_function_apply() function can convert fast array to object.
- * After this conversion, there will be garbage in the value.
- */
-
- if (njs_fast_path(njs_is_fast_array(&state->value)
- && (state->index - 1) < njs_array(&state->value)->length))
- {
- if (njs_is_undefined(&parse->retval)) {
- njs_set_invalid(value);
-
- } else {
- *value = parse->retval;
- }
-
- break;
- }
-
if (njs_is_undefined(&parse->retval)) {
ret = njs_value_property_i64_delete(vm, &state->value,
state->index - 1, NULL);
" function(k, v) {return v.a.a;}); o"),
njs_str("TypeError: cannot get property \"a\" of undefined") },
+ { njs_str("function func() {this[8] = 1; return new Int8Array(func)}"
+ "JSON.parse('[1]', func);"),
+ njs_str("") },
+
/* JSON.stringify() */
{ njs_str("JSON.stringify()"),
projects / njs.git / commitdiff