Fixed Array.prototype.slice() with slow "this" argument.

Previously, when "this" argument was not a fast array, but the "deleted" array
was a fast array, the "deleted" array may be left in uninitialized state if
"this" argument had gaps.

This fix is to ensure that "deleted" is properly initialized.

This fixes #485 issue on Github.

diff --git a/src/njs_array.c b/src/njs_array.c
index 0b8c7b919787cb10226b2af91f8aed02c3406920..2ceb6be7e6b3725dad533a34a56ac60e7a8c2523 100644 (file)
--- a/src/njs_array.c
+++ b/src/njs_array.c
@@ -1284,6 +1284,11 @@ njs_array_prototype_splice(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
                 if (njs_slow_path(ret == NJS_ERROR)) {
                     return ret;
                 }
+
+            } else {
+                if (deleted->object.fast_array) {
+                    njs_set_invalid(&deleted->start[i]);
+                }
             }
         }
 

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 25e066c3205408922b140d86ba5f863dea36f852..b28e34fef98bb76c8f08c55da6905fb7281ec480 100644 (file)
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -4869,6 +4869,15 @@ static njs_unit_test_t  njs_test[] =
               "Array.prototype.splice.call(obj, 2**53-2, 0, 'C');"),
       njs_str("TypeError: Invalid length") },
 
+    { njs_str("var a = {1: 'B', length: 2};"
+              "Array.prototype.splice.call(a, 0)"),
+      njs_str(",B") },
+
+    { njs_str("var a = new Uint8Array();"
+              "a.__proto__ = [1,2,3];"
+              "a.splice(0)"),
+      njs_str(",,") },
+
     { njs_str("var a = []; a.reverse()"),
       njs_str("") },