[1.11>master] [MERGE #6167 @pleath] Fail on unexpected missing item constant in an array head segment during native array conversion

Merge pull request #6167 from pleath:arrayfail

Author: pleath

lib/Runtime/Library/JavascriptArray.cpp

@@ -9,6 +9,7 @@
 
 // TODO: Change this generic fatal error to the descriptive one.
 #define AssertAndFailFast(x) if (!(x)) { Assert(x); Js::Throw::FatalInternalError(); }
+#define AssertMsgAndFailFast(x, m) if (!(x)) { AssertMsg((x), m); Js::Throw::FatalInternalError(); }
 
 using namespace Js;
 
@@ -1749,6 +1750,7 @@ using namespace Js;
                     ival = ((SparseArraySegment<int32>*)seg)->elements[i /*+ seg->length*/];
                     if (ival == JavascriptNativeIntArray::MissingItem)
                     {
+                        AssertMsgAndFailFast(newSeg != intArray->head || !intArray->HasNoMissingValues(), "Unexpected missing item during array conversion");
                         continue;
                     }
                     newSeg->elements[i] = (double)ival;
@@ -2016,6 +2018,7 @@ using namespace Js;
                     ival = ((SparseArraySegment<int32>*)seg)->elements[i];
                     if (ival == JavascriptNativeIntArray::MissingItem)
                     {
+                        AssertMsgAndFailFast(seg != intArray->head || !intArray->HasNoMissingValues(), "Unexpected missing item during array conversion");
                         continue;
                     }
                     newSeg->elements[i] = JavascriptNumber::ToVar(ival, scriptContext);
@@ -2050,6 +2053,7 @@ using namespace Js;
                     ival = ((SparseArraySegment<int32>*)seg)->elements[i];
                     if (ival == JavascriptNativeIntArray::MissingItem)
                     {
+                        AssertMsgAndFailFast(seg != intArray->head || !intArray->HasNoMissingValues(), "Unexpected missing item during array conversion");
                         ((SparseArraySegment<Var>*)seg)->elements[i] = (Var)JavascriptArray::MissingItem;
                     }
                     else
@@ -2229,6 +2233,7 @@ using namespace Js;
             {
                 if (SparseArraySegment<double>::IsMissingItem(&((SparseArraySegment<double>*)seg)->elements[i]))
                 {
+                    AssertMsgAndFailFast(seg != fArray->head || !fArray->HasNoMissingValues(), "Unexpected missing item during conversion");
                     if (seg == newSeg)
                     {
                         newSeg->elements[i] = (Var)JavascriptArray::MissingItem;

lib/Runtime/Library/SparseArraySegment.inl

@@ -268,7 +268,12 @@ namespace Js
             Assert(sizeof(T) % sizeof(Var) == 0);
             uint step = sizeof(T) / sizeof(Var);
 
-            for (uint i = start; i < size * step; i++)
+            // We're filling [length...size-1] based on the element size. If this is going to be a float segment on 32-bit,
+            // only fill past the point where the float elements will reside. Size * step has to be a 32-bit number.
+            start *= step;
+            size *= step;
+
+            for (uint i = start; i < size; i++)
             {
                 ((Var*)(this->elements))[i] = fill; // swb: no write barrier, set to non-GC pointer
             }