diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp index 83c6185bca8..b6e4d610ec0 100644 --- a/lib/Runtime/Library/JavascriptArray.cpp +++ b/lib/Runtime/Library/JavascriptArray.cpp @@ -2078,6 +2078,7 @@ namespace Js limit = JavascriptArray::MaxArrayLength; } seg->size = min(newSize, limit - seg->left); + seg->CheckLengthvsSize(); } } uint32 i; @@ -7653,6 +7654,8 @@ namespace Js Assert(pArr->length <= MaxArrayLength - unshiftElements); + SparseArraySegmentBase* renumberSeg = pArr->head->next; + bool isIntArray = false; bool isFloatArray = false; @@ -7683,21 +7686,6 @@ namespace Js } } - if (isIntArray) - { - UnshiftHelper(pArr, unshiftElements, args.Values); - } - else if (isFloatArray) - { - UnshiftHelper(pArr, unshiftElements, args.Values); - } - else - { - UnshiftHelper(pArr, unshiftElements, args.Values); - } - - SparseArraySegmentBase* renumberSeg = pArr->head->next; - while (renumberSeg) { renumberSeg->left += unshiftElements; @@ -7709,6 +7697,26 @@ namespace Js renumberSeg = renumberSeg->next; } + try + { + if (isIntArray) + { + UnshiftHelper(pArr, unshiftElements, args.Values); + } + else if (isFloatArray) + { + UnshiftHelper(pArr, unshiftElements, args.Values); + } + else + { + UnshiftHelper(pArr, unshiftElements, args.Values); + } + } + catch (...) + { + Js::Throw::FatalInternalError(); + } + pArr->InvalidateLastUsedSegment(); pArr->length += unshiftElements; diff --git a/test/Array/bug_12044876.js b/test/Array/bug_12044876.js new file mode 100644 index 00000000000..cce7a59e4ae --- /dev/null +++ b/test/Array/bug_12044876.js @@ -0,0 +1,38 @@ +//------------------------------------------------------------------------------------------------------- +// Copyright (C) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information. +//------------------------------------------------------------------------------------------------------- +//switches: -forcearraybtree + +// x86debug: lib\runtime\Library/JavascriptArray.inl, current->left >= lastindex +function test0() { + var arr = [4294967296]; + arr[9] = 19; + arr.unshift(1, 2, {}, 4, 5, 6, 7, 8, 9, 10, 11, 12); +} + +// x64debug: lib\Runtime\Library\SparseArraySegment.cpp, length <= size +function test1() { + function makeArrayLength() { + return 100; + } + var obj0 = {}; + var protoObj0 = {}; + var obj1 = {}; + var arrObj0 = {}; + var func0 = function () { + }; + var func1 = function () { + }; + obj0.method1 = func0; + var ary = Array(); + var IntArr1 = new Array(); + IntArr1[15] = ~obj1.prop0; + arrObj0.length = makeArrayLength(); + IntArr1[10] = arrObj0.length; + makeArrayLength(IntArr1.unshift(func1(), ary, obj0.method1(), protoObj0, Object(), arrObj0, -1877547837)); +} + +test0(); +test1(); +console.log("Pass"); diff --git a/test/Array/rlexe.xml b/test/Array/rlexe.xml index 1326bf40cf2..0449ebae3ce 100644 --- a/test/Array/rlexe.xml +++ b/test/Array/rlexe.xml @@ -732,6 +732,13 @@ bug_9575461.js + + + bug_12044876.js + -forcearraybtree + BugFix + + array_conv_src.js