From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Sat, 23 Apr 2022 00:02:36 +0000 (-0700)
Subject: Fixed Array.prototype.slice() with slow "this" argument.
X-Git-Tag: 0.7.4~24
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=2e00e95473861846aa8538be87db07699d9f676d;p=njs.git

Fixed Array.prototype.slice() with slow "this" argument.

Previously, when "this" argument was not a fast array, but the "deleted" array
was a fast array, the "deleted" array may be left in uninitialized state if
"this" argument had gaps.

This fix is to ensure that "deleted" is properly initialized.

This fixes #485 issue on Github.
---

diff --git a/src/njs_array.c b/src/njs_array.c
index 0b8c7b91..2ceb6be7 100644
--- a/src/njs_array.c
+++ b/src/njs_array.c
@@ -1284,6 +1284,11 @@ njs_array_prototype_splice(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
                 if (njs_slow_path(ret == NJS_ERROR)) {
                     return ret;
                 }
+
+            } else {
+                if (deleted->object.fast_array) {
+                    njs_set_invalid(&deleted->start[i]);
+                }
             }
         }
 
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 25e066c3..b28e34fe 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -4869,6 +4869,15 @@ static njs_unit_test_t  njs_test[] =
               "Array.prototype.splice.call(obj, 2**53-2, 0, 'C');"),
       njs_str("TypeError: Invalid length") },
 
+    { njs_str("var a = {1: 'B', length: 2};"
+              "Array.prototype.splice.call(a, 0)"),
+      njs_str(",B") },
+
+    { njs_str("var a = new Uint8Array();"
+              "a.__proto__ = [1,2,3];"
+              "a.splice(0)"),
+      njs_str(",,") },
+
     { njs_str("var a = []; a.reverse()"),
       njs_str("") },