[runtime] clear array elements when right trimming while leaving free space

Bug: chromium:734314
Change-Id: I4e1bd1264c2c4088ce9fdcdbe3b9e233faa516df
Reviewed-on: https://chromium-review.googlesource.com/544990Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46211}

src/elements.cc

@@ -777,6 +777,10 @@ class ElementsAccessorBase : public ElementsAccessor {
                                    ? (capacity - length) / 2
                                    : capacity - length;
         isolate->heap()->RightTrimFixedArray(*backing_store, elements_to_trim);
+        // Fill the non-trimmed elements with holes.
+        BackingStore::cast(*backing_store)
+            ->FillWithHoles(length,
+                            std::min(old_length, capacity - elements_to_trim));
       } else {
         // Otherwise, fill the unused tail with holes.
         BackingStore::cast(*backing_store)->FillWithHoles(length, old_length);

test/mjsunit/array-length.js

@@ -43,6 +43,15 @@ assertEquals('undefined', typeof a[2]);
 assertEquals('undefined', typeof a[3]);
 
 
+for(var i = 0; i < 10; i++) {
+      var array = new Array(i).fill(42);
+      array.push(42);
+      array.length = i;
+      array.length = i+1;
+      assertEquals('undefined' , typeof array[i]);
+}
+
+
 var a = new Array();
 a[0] = 0;
 a[1000] = 1000;