Eliminate segfault when array changes to non-fast mode (#252)

Fixes #132

Signed-off-by: Peter Marki marpeter@inf.u-szeged.hu

src/interpreter/ByteCodeInterpreter.cpp

@@ -425,8 +425,8 @@ Value ByteCodeInterpreter::interpret(ExecutionState& state, ByteCodeBlock* byteC
                 const Value& property = registerFile[code->m_propertyRegisterIndex];
                 if (LIKELY(willBeObject.isObject() && (willBeObject.asPointerValue())->hasTag(g_arrayObjectTag))) {
                     ArrayObject* arr = willBeObject.asObject()->asArrayObject();
+                    uint32_t idx = property.tryToUseAsArrayIndex(state);
                     if (LIKELY(arr->isFastModeArray())) {
-                        uint32_t idx = property.tryToUseAsArrayIndex(state);
                         if (LIKELY(idx != Value::InvalidArrayIndexValue)) {
                             uint32_t len = arr->getArrayLength(state);
                             if (UNLIKELY(len <= idx)) {

test/regression-tests/issue-132.js

@@ -0,0 +1,20 @@
+/* Copyright 2019-present Samsung Electronics Co., Ltd. and other contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+var arr = [ ];
+Array.prototype[Object.defineProperty(arr, 0, {get: function() { Object.defineProperty(Array.prototype, 0, {}); return 0}})] = 0;
+
+assert(JSON.stringify(arr) == "[0]");
+assert(JSON.stringify(Array.prototype) == "[null]");