Fixing Assert at InitBoxedInlineSegments

akroshg · akroshg · commit 31853a317d54 · 2019-04-11T14:17:30.000-07:00
The assert will be fired as the size of the segment can be larger than length. Say when you add a item on an Array on that size position.
However the assert needs to go away along with that we need to fix the size of new Array with max of INLINE_CHUNK_SIZE, so that IsInlineSegment logic
works correctly as the new Array's segment was indeed inlined.
Truncating the size would not be a problem as this cannot be smaller than length and later if the size needed to be increased the current segment will be
re-allocated.
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -11919,13 +11919,12 @@ using namespace Js;
 
         if (IsInlineSegment(src, instance))
         {
-            Assert(src->size <= SparseArraySegmentBase::INLINE_CHUNK_SIZE);
-
             // Copy head segment data between inlined head segments
             dst = DetermineInlineHeadSegmentPointer<T, 0, true>(static_cast<T*>(this));
             dst->left = src->left;
             dst->length = src->length;
-            dst->size = src->size;
+            uint inlineChunkSize = SparseArraySegmentBase::INLINE_CHUNK_SIZE;
+            dst->size = min(src->size, inlineChunkSize);
         }
         else
         {
@@ -11940,7 +11939,8 @@ using namespace Js;
 
         Assert(IsInlineSegment(src, instance) == IsInlineSegment(dst, static_cast<T*>(this)));
 
-        CopyArray(dst->elements, dst->size, src->elements, src->size);
+        AssertOrFailFast(dst->size <= src->size);
+        CopyArray(dst->elements, dst->size, src->elements, dst->size);
 
         if (!deepCopy)
         {
diff --git a/test/Bugs/misc_bugs.js b/test/Bugs/misc_bugs.js
@@ -246,6 +246,18 @@ var tests = [
          test0();
       }
   },
+  {
+    name: "Init box javascript array : OS : 20517662",
+    body: function () {
+      var obj = {};
+      obj[0] = 11;
+      obj[1] = {};
+      obj[17] = 222;
+      obj[35] = 333; // This is will increase the size past the inline segment
+      
+      Object.assign({}, obj); // The InitBoxedInlineSegments will be called due to this call.
+    }
+  },
   {
     name: "calling promise's function as constructor should not be allowed",
     body: function () {

Original file line number	Diff line number	Diff line change
`@@ -11919,13 +11919,12 @@ using namespace Js;`
`11919`	`11919`
`11920`	`11920`	`if (IsInlineSegment(src, instance))`
`11921`	`11921`	`{`
`11922`		`- Assert(src->size <= SparseArraySegmentBase::INLINE_CHUNK_SIZE);`
`11923`		`-`
`11924`	`11922`	`// Copy head segment data between inlined head segments`
`11925`	`11923`	`dst = DetermineInlineHeadSegmentPointer<T, 0, true>(static_cast<T*>(this));`
`11926`	`11924`	`dst->left = src->left;`
`11927`	`11925`	`dst->length = src->length;`
`11928`		`- dst->size = src->size;`
	`11926`	`+ uint inlineChunkSize = SparseArraySegmentBase::INLINE_CHUNK_SIZE;`
	`11927`	`+ dst->size = min(src->size, inlineChunkSize);`
`11929`	`11928`	`}`
`11930`	`11929`	`else`
`11931`	`11930`	`{`
`@@ -11940,7 +11939,8 @@ using namespace Js;`
`11940`	`11939`
`11941`	`11940`	`Assert(IsInlineSegment(src, instance) == IsInlineSegment(dst, static_cast<T*>(this)));`
`11942`	`11941`
`11943`		`- CopyArray(dst->elements, dst->size, src->elements, src->size);`
	`11942`	`+ AssertOrFailFast(dst->size <= src->size);`
	`11943`	`+ CopyArray(dst->elements, dst->size, src->elements, dst->size);`
`11944`	`11944`
`11945`	`11945`	`if (!deepCopy)`
`11946`	`11946`	`{`