From 6912a248caa5ce41afcb2fdef0c95451d17eaa45 Mon Sep 17 00:00:00 2001
From: "yangguo@chromium.org"
 <yangguo@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Thu, 27 Feb 2014 14:45:53 +0000
Subject: [PATCH] Fix bogus assertion in SetFastDoubleElements.

R=danno@chromium.org
BUG=347530
LOG=N

Review URL: https://codereview.chromium.org/181433016

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@19579 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/objects.cc                         |  3 ++-
 test/mjsunit/regress/regress-347530.js | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-347530.js

diff --git a/src/objects.cc b/src/objects.cc
index ada646d..59a5967 100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -12471,7 +12471,8 @@ Handle<Object> JSObject::SetFastDoubleElement(
   // Otherwise default to slow case.
   ASSERT(object->HasFastDoubleElements());
   ASSERT(object->map()->has_fast_double_elements());
-  ASSERT(object->elements()->IsFixedDoubleArray());
+  ASSERT(object->elements()->IsFixedDoubleArray() ||
+         object->elements()->length() == 0);
 
   NormalizeElements(object);
   ASSERT(object->HasDictionaryElements());
diff --git a/test/mjsunit/regress/regress-347530.js b/test/mjsunit/regress/regress-347530.js
new file mode 100644
index 0000000..330fda3
--- /dev/null
+++ b/test/mjsunit/regress/regress-347530.js
@@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc
+a = [];
+a[1000] = .1;
+a.length = 0;
+gc();
+gc();
+a[1000] = .1;
+assertEquals(.1, a[1000]);
-- 
2.7.4