[Webkit-unassigned] [Bug 138118] New: Holes are not copied properly when Arrays change hare to ArrayStorage type

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 27 19:20:55 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=138118

            Bug ID: 138118
           Summary: Holes are not copied properly when Arrays change hare
                    to ArrayStorage type
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

When we convert a dense holey array into the ArrayStorage shape, the new holes in the new array gets garbage.

The following test is run with Heap::tryAllocateStorage() modified to scribble all over newly allocated buffers with the value 0xbaddda4a.  The test basically sets up a hole DoubleShape array, and then runs Array.unshift() on it to force it to change to the ArrayStorage shape.  Thereafter, the test dumps the values of the array again to look for the holes.

The test code:
=============
function doubleArray() {
    var arr = [];
    arr[0] = 0.1;
    arr[1] = 1.1;
    arr[2] = 2.1;
    arr[3] = 3.1;
    // arr[4] = hole;
    // arr[5] = hole;
    arr[6] = 6.1;
    arr[7] = 7.1;
    arr[8] = 8.1;
    return arr;
}

function test(name, arr, newElement) {
    print(name + " BEFORE unshift:");
    for (var i = 0; i < arr.length; i++)
        print("   arr[" + i + "] = " + arr[i]);

    arr.unshift(newElement);
    print(name + " AFTER unshift:");
    for (var i = 0; i < arr.length; i++)
        print("   arr[" + i + "] = " + arr[i]);
}
test("double array", doubleArray(), 100.5);

The output:
==========
double array BEFORE unshift:
   arr[0] = 0.1
   arr[1] = 1.1
   arr[2] = 2.1
   arr[3] = 3.1
   arr[4] = undefined
   arr[5] = undefined
   arr[6] = 6.1
   arr[7] = 7.1
   arr[8] = 8.1
   arr[9] = undefined
double array AFTER unshift:
   arr[0] = 100.5
   arr[1] = 0.1
   arr[2] = 1.1
   arr[3] = 2.1
   arr[4] = 3.1
   arr[5] = -3.7291244322514128e-25
   arr[6] = -3.7291244322514128e-25
   arr[7] = 6.1
   arr[8] = 7.1
   arr[9] = 8.1

Note that the resultant arr[5] and arr[6] which should be undefined (because of the holes) now contain junk.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141028/eaeb4d7c/attachment-0002.html>

More information about the webkit-unassigned mailing list