[njs] Fixed Array.prototype.slice() with slow "this" argument.

[Dmitry Volyntsev]

details:   https://hg.nginx.org/njs/rev/3fec53d722ef
branches:  
changeset: 1840:3fec53d722ef
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Fri Apr 22 17:02:36 2022 -0700
description:
Fixed Array.prototype.slice() with slow "this" argument.

Previously, when "this" argument was not a fast array, but the "deleted" array
was a fast array, the "deleted" array may be left in uninitialized state if
"this" argument had gaps.

This fix is to ensure that "deleted" is properly initialized.

This fixes #485 issue on Github.

diffstat:

 src/njs_array.c          |  5 +++++
 src/test/njs_unit_test.c |  9 +++++++++
 2 files changed, 14 insertions(+), 0 deletions(-)

diffs (34 lines):

diff -r 9424f42b7266 -r 3fec53d722ef src/njs_array.c
--- a/src/njs_array.c	Fri Apr 22 17:02:28 2022 -0700
+++ b/src/njs_array.c	Fri Apr 22 17:02:36 2022 -0700
@@ -1284,6 +1284,11 @@ njs_array_prototype_splice(njs_vm_t *vm,
                 if (njs_slow_path(ret == NJS_ERROR)) {
                     return ret;
                 }
+
+            } else {
+                if (deleted->object.fast_array) {
+                    njs_set_invalid(&deleted->start[i]);
+                }
             }
         }
 
diff -r 9424f42b7266 -r 3fec53d722ef src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Fri Apr 22 17:02:28 2022 -0700
+++ b/src/test/njs_unit_test.c	Fri Apr 22 17:02:36 2022 -0700
@@ -4869,6 +4869,15 @@ static njs_unit_test_t  njs_test[] =
               "Array.prototype.splice.call(obj, 2**53-2, 0, 'C');"),
       njs_str("TypeError: Invalid length") },
 
+    { njs_str("var a = {1: 'B', length: 2};"
+              "Array.prototype.splice.call(a, 0)"),
+      njs_str(",B") },
+
+    { njs_str("var a = new Uint8Array();"
+              "a.__proto__ = [1,2,3];"
+              "a.splice(0)"),
+      njs_str(",,") },
+
     { njs_str("var a = []; a.reverse()"),
       njs_str("") },