From 68d3bc54fbc9b99310197c51dfd84b6f72b7fb01 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Mon, 3 Feb 2020 04:52:44 +0100 Subject: Issue #1382 - Remove invalid assertion. There is flexibility in exactly the value the initialized length must hold, i.e. if an array is completely empty, it is valid for the initialized length to be any value between zero and the length of the array, as long as the in-memory values below the initialized length have been initialized with a hole value. In the case of 0, the array is packed and the move operation would be a nop, so simply convert the assert to a condition to save some cycles. --- js/src/jsarray.cpp | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'js') diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index e618c319f..73243d918 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -2105,14 +2105,15 @@ js::ArrayShiftMoveElements(NativeObject* obj) MOZ_ASSERT_IF(obj->is(), obj->as().lengthIsWritable()); size_t initlen = obj->getDenseInitializedLength(); - MOZ_ASSERT(initlen > 0); - - /* - * At this point the length and initialized length have already been - * decremented and the result fetched, so just shift the array elements - * themselves. - */ - obj->moveDenseElementsNoPreBarrier(0, 1, initlen); + + if (initlen > 0) { + /* + * At this point the length and initialized length have already been + * decremented and the result fetched, so just shift the array elements + * themselves. + */ + obj->moveDenseElementsNoPreBarrier(0, 1, initlen); + } } static inline void -- cgit v1.2.3