Fixed njs_array_convert_to_slow_array(). Previously, the function might free invalid pointer, as array->start is not always points to the beginning of allocated memory block. This closes #540 issue on Github.

commit: 54170537281d2d29ddc57d1117548b7a323cb4de [log] [tgz]
author: Dmitry Volyntsev <xeioex@nginx.com> Sat Jun 11 00:15:49 2022 -0700
committer: Dmitry Volyntsev <xeioex@nginx.com> Sat Jun 11 00:15:49 2022 -0700
tree: d6fc8840e966cdff0e76e0c0e46f06de0251da06
parent: 60c2119ddd4de4e9dc296bc7b9da0d687f51cfa9 [diff]
diff --git a/src/njs_array.c b/src/njs_array.c
index 6691d80..a973f30 100644
--- a/src/njs_array.c
+++ b/src/njs_array.c

@@ -165,7 +165,7 @@
 
     /* GC: release value. */
 
-    njs_mp_free(vm->mem_pool, array->start);
+    njs_mp_free(vm->mem_pool, array->data);
     array->start = NULL;
 
     return NJS_OK;

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 46197cd..d338c79 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c

@@ -4743,6 +4743,12 @@
               "a.shift(); a"),
       njs_str("2,3") },
 
+    { njs_str("var arr = [1,2];"
+              "arr.shift();"
+              "arr[2**20] = 3;"
+              "arr[2**20]"),
+      njs_str("3") },
+
     { njs_str("var a = []; a.splice()"),
       njs_str("") },
commit	54170537281d2d29ddc57d1117548b7a323cb4de	[log] [tgz]
author	Dmitry Volyntsev <xeioex@nginx.com>	Sat Jun 11 00:15:49 2022 -0700
committer	Dmitry Volyntsev <xeioex@nginx.com>	Sat Jun 11 00:15:49 2022 -0700
tree	d6fc8840e966cdff0e76e0c0e46f06de0251da06
parent	60c2119ddd4de4e9dc296bc7b9da0d687f51cfa9 [diff]