5964ebdfd5
Hi, Norris!
I have found few problems with NativeArraj.java.
1. jsSet_length requires that the new length value should be an instance of Number. But according to Ecma 15.4.5.1, item 12-13, an error should be thrown only if ToUint32(length_value) != ToNumber(length_value). Here is a simple test that demonstrates it:
Array(5).length = new Number(1)
It currenly throws an exception.
2. jsSet_length when executing the code marked with "// assume that the representation is sparse" effectively removes all properties with values less then the current length when String is used to represent its value. Note that simply changing lines "if (d == d && d < length) delete(id);" to "if (d == d && d >= longVal) delete(id);" is not good because it would remove properties like "4.5" or "007", the full array index check has to be used instead.
Here is a test case that catches the problem:
var BIG_INDEX = 4294967290;
var a = Array(BIG_INDEX);
a[BIG_INDEX - 1] = 'a';
a[BIG_INDEX - 10000] = 'b';
a[BIG_INDEX - 0.5] = 'c';
a.length = BIG_INDEX - 5000;
var s = '';
for (var i in a) s += a[i];
print('s="'+s+'"');
this should print s='cb' (or 'bc': EcmaScript does not fix the order), but currently it gives s=''.
3. There are race conditions in jsSet_length and getIds.
The first contains:
if (hasElem(this, i))
ScriptRuntime.delete(this, new Long(i));
which would lead to call to delete in the Array prototype if 2 threads would invoke this code. Simply calling ScriptableObject.delete without any checks for existence is enough here.
getIds assumes that the count of present elements in the dense array does not change, which is not true when another thread deletes elements from dense.
The attached patch fixes these issues.
Regards, Igor
git-svn-id: svn://10.0.0.236/trunk@102913 18797224-902f-48f8-a5cc-f745e15eee43