From 23bde0cf8565bb36b9df638de874ad04607e84d3 Mon Sep 17 00:00:00 2001
From: Filip Pizlo <fpizlo@apple.com>
Date: Thu, 4 Apr 2013 12:19:52 +0200
Subject: If array allocation profiling causes a new_array to allocate double
 arrays, then the holes should end up being correctly initialized

https://bugs.webkit.org/show_bug.cgi?id=106363

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore:

* runtime/JSArray.h:
(JSC::JSArray::tryCreateUninitialized):

LayoutTests:

* fast/js/jsc-test-list:
* fast/js/new-array-double-with-holes-expected.txt: Added.
* fast/js/new-array-double-with-holes.html: Added.
* fast/js/script-tests/new-array-double-with-holes.js: Added.
(foo):

Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 Source/JavaScriptCore/runtime/JSArray.h | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'Source/JavaScriptCore/runtime/JSArray.h')

diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h
index ea1ed9047..cef3b53ad 100644
--- a/Source/JavaScriptCore/runtime/JSArray.h
+++ b/Source/JavaScriptCore/runtime/JSArray.h
@@ -245,6 +245,10 @@ inline JSArray* JSArray::tryCreateUninitialized(JSGlobalData& globalData, Struct
         butterfly = Butterfly::fromBase(temp, 0, 0);
         butterfly->setVectorLength(vectorLength);
         butterfly->setPublicLength(initialLength);
+        if (hasDouble(structure->indexingType())) {
+            for (unsigned i = initialLength; i < vectorLength; ++i)
+                butterfly->contiguousDouble()[i] = QNaN;
+        }
     } else {
         void* temp;
         if (!globalData.heap.tryAllocateStorage(Butterfly::totalSize(0, 0, true, ArrayStorage::sizeFor(vectorLength)), &temp))
-- 
cgit v1.2.1