From d02e1f2c2596b2aea51460e5707de6972f505259 Mon Sep 17 00:00:00 2001
From: "jarin@chromium.org"
 <jarin@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Mon, 31 Mar 2014 15:01:46 +0000
Subject: [PATCH] Fix left trimming check for large objects

BUG=358090
TEST=test/mjsunit/regress/regress-358090.js
LOG=N
R=hpayer@chromium.org

Review URL: https://codereview.chromium.org/213833008

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20362 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/builtins.cc                        | 2 +-
 test/mjsunit/regress/regress-358090.js | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 test/mjsunit/regress/regress-358090.js

diff --git a/src/builtins.cc b/src/builtins.cc
index bbd5ace..200f7fe 100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -558,7 +558,7 @@ BUILTIN(ArrayShift) {
     first = isolate->factory()->undefined_value();
   }
 
-  if (!heap->CanMoveObjectStart(*elms_obj)) {
+  if (heap->CanMoveObjectStart(*elms_obj)) {
     array->set_elements(LeftTrimFixedArray(heap, *elms_obj, 1));
   } else {
     // Shift the elements.
diff --git a/test/mjsunit/regress/regress-358090.js b/test/mjsunit/regress/regress-358090.js
new file mode 100644
index 0000000..d9c07e8
--- /dev/null
+++ b/test/mjsunit/regress/regress-358090.js
@@ -0,0 +1,8 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var x = Array(100000);
+y =  Array.apply(Array, x);
+y.unshift(4);
+y.shift();
-- 
2.7.4