Fixed Array.prototype.slice() with slow "this" argument.

Previously, when "this" argument was not a fast array, but the "deleted" array was a fast array, the "deleted" array may be left in uninitialized state if "this" argument had gaps. This fix is to ensure that "deleted" is properly initialized. This fixes #485 issue on Github.
nginx · Apr 23, 2022 · 2e00e95 · 2e00e95
1 parent 8b39afd
commit 2e00e95
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/src/njs_array.c b/src/njs_array.c
@@ -1284,6 +1284,11 @@ njs_array_prototype_splice(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs,
                 if (njs_slow_path(ret == NJS_ERROR)) {
                     return ret;
                 }
+
+            } else {
+                if (deleted->object.fast_array) {
+                    njs_set_invalid(&deleted->start[i]);
+                }
             }
         }
 

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
@@ -4869,6 +4869,15 @@ static njs_unit_test_t  njs_test[] =
               "Array.prototype.splice.call(obj, 2**53-2, 0, 'C');"),
       njs_str("TypeError: Invalid length") },
 
+    { njs_str("var a = {1: 'B', length: 2};"
+              "Array.prototype.splice.call(a, 0)"),
+      njs_str(",B") },
+
+    { njs_str("var a = new Uint8Array();"
+              "a.__proto__ = [1,2,3];"
+              "a.splice(0)"),
+      njs_str(",,") },
+
     { njs_str("var a = []; a.reverse()"),
       njs_str("") },