Fix sparse versions of Array slice/splice to use [[DefineOwnProperty]] to generate...

BUG=chromium:423633
LOG=n
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/673893002

git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@24856 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/array.js b/src/array.js
index 9fbc67c..a4e681c 100644 (file)
--- a/src/array.js
+++ b/src/array.js
@@ -212,7 +212,7 @@ function SparseSlice(array, start_i, del_count, len, deleted_elements) {
     for (var i = start_i; i < limit; ++i) {
       var current = array[i];
       if (!IS_UNDEFINED(current) || i in array) {
-        deleted_elements[i - start_i] = current;
+        %AddElement(deleted_elements, i - start_i, current, NONE);
       }
     }
   } else {
@@ -223,7 +223,7 @@ function SparseSlice(array, start_i, del_count, len, deleted_elements) {
         if (key >= start_i) {
           var current = array[key];
           if (!IS_UNDEFINED(current) || key in array) {
-            deleted_elements[key - start_i] = current;
+            %AddElement(deleted_elements, key - start_i, current, NONE);
           }
         }
       }

diff --git a/test/mjsunit/regress/regress-423633.js b/test/mjsunit/regress/regress-423633.js
index cad2064..12d2483 100644 (file)
--- a/test/mjsunit/regress/regress-423633.js
+++ b/test/mjsunit/regress/regress-423633.js
@@ -8,3 +8,11 @@ Object.defineProperty(Array.prototype, '0', {
 var a = [1, 2, 3];
 assertEquals(a, a.slice());
 assertEquals([3], a.splice(2, 1));
+
+a = [1, 2, 3];
+a[0xffff] = 4;
+// nulling the prototype lets us stay in the sparse case; otherwise the
+// getter on Array.prototype would force us into the non-sparse code.
+a.__proto__ = null;
+assertEquals(a, Array.prototype.slice.call(a));
+assertEquals([3], Array.prototype.splice.call(a, 2, 1));