Checks for empty array case added before casting elements to FixedDoubleArray.

BUG=chromium:369450
LOG=N
R=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/264973008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@21118 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/json-stringifier.h b/src/json-stringifier.h
index c93196e..7eb6746 100644 (file)
--- a/src/json-stringifier.h
+++ b/src/json-stringifier.h
@@ -560,6 +560,8 @@ BasicJsonStringifier::Result BasicJsonStringifier::SerializeJSArray(
       break;
     }
     case FAST_DOUBLE_ELEMENTS: {
+      // Empty array is FixedArray but not FixedDoubleArray.
+      if (length == 0) break;
       Handle<FixedDoubleArray> elements(
           FixedDoubleArray::cast(object->elements()), isolate_);
       for (uint32_t i = 0; i < length; i++) {

diff --git a/src/runtime.cc b/src/runtime.cc
index c60b804..e17346a 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -10355,6 +10355,8 @@ static bool IterateElements(Isolate* isolate,
     }
     case FAST_HOLEY_DOUBLE_ELEMENTS:
     case FAST_DOUBLE_ELEMENTS: {
+      // Empty array is FixedArray but not FixedDoubleArray.
+      if (length == 0) break;
       // Run through the elements FixedArray and use HasElement and GetElement
       // to check the prototype for missing elements.
       Handle<FixedDoubleArray> elements(
@@ -10559,8 +10561,8 @@ RUNTIME_FUNCTION(Runtime_ArrayConcat) {
           switch (array->map()->elements_kind()) {
             case FAST_HOLEY_DOUBLE_ELEMENTS:
             case FAST_DOUBLE_ELEMENTS: {
-              // Empty fixed array indicates that there are no elements.
-              if (array->elements()->IsFixedArray()) break;
+              // Empty array is FixedArray but not FixedDoubleArray.
+              if (length == 0) break;
               FixedDoubleArray* elements =
                   FixedDoubleArray::cast(array->elements());
               for (uint32_t i = 0; i < length; i++) {

diff --git a/test/mjsunit/regress/regress-369450.js b/test/mjsunit/regress/regress-369450.js
new file mode 100644 (file)
index 0000000..e452361
--- /dev/null
+++ b/test/mjsunit/regress/regress-369450.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --enable-slow-asserts
+
+var v = [1.3];
+v.length = 0;
+
+var json = JSON.stringify(v);
+assertEquals("[]", json);
+
+Array.prototype[0] = 5.5;
+var arr = [].concat(v, [{}], [2.3]);
+assertEquals([{}, 2.3], arr);