We should zero unused property storage when rebalancing array storage.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Sep 2018 18:57:32 +0000 (18:57 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Sep 2018 18:57:32 +0000 (18:57 +0000)
commit0b60d0885a524fbea02dca3320c9ea44b918de13
treed13b6c7eb14dea6980f59369859041894a186187
parenta2a68490dc84354f713f36c68fa5d8130d7516c8
We should zero unused property storage when rebalancing array storage.
https://bugs.webkit.org/show_bug.cgi?id=188151

Reviewed by Michael Saboff.

JSTests:

* stress/splice-should-zero-property-storage-when-rebalancing.js: Added.

Source/JavaScriptCore:

In unshiftCountSlowCase we sometimes will move property storage to the right even when net adding elements.
This can happen because we "balance" the pre/post-capacity in that code so we need to zero the unused
property storage.

* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236514 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/splice-should-zero-property-storage-when-rebalancing.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp