From 2a0f5186e82c84c00a3375449312b68d46264f5a Mon Sep 17 00:00:00 2001
From: Leonardo de Moura <leonardo@microsoft.com>
Date: Tue, 26 Feb 2019 14:19:37 -0800
Subject: [PATCH] fix(runtime/object): bug at `array_push`

Small object allocator was masking this bug.
---
 src/runtime/object.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/runtime/object.cpp b/src/runtime/object.cpp
index cc4494fab1..c79f7757a9 100644
--- a/src/runtime/object.cpp
+++ b/src/runtime/object.cpp
@@ -1790,7 +1790,9 @@ object * mk_array(obj_arg n, obj_arg v) {
 obj_res copy_array(obj_arg a, bool expand) {
     size_t sz      = array_size(a);
     size_t cap     = array_capacity(a);
+    lean_assert(cap >= sz);
     if (expand) cap = (cap + 1) * 2;
+    lean_assert(!expand || cap > sz);
     object * r     = alloc_array(sz, cap);
     object ** it   = array_cptr(a);
     object ** end  = it + sz;
@@ -1811,10 +1813,11 @@ object * array_push(obj_arg a, obj_arg v) {
         else
             r = copy_array(a, true);
     } else {
-        r = copy_array(a, array_capacity(a) < 2*array_size(a));
+        r = copy_array(a, array_capacity(a) < 2*array_size(a) + 1);
     }
-    size_t & sz = to_array(r)->m_size;
-    object ** it   = array_cptr(r) + sz;
+    lean_assert(array_capacity(r) > array_size(r));
+    size_t & sz  = to_array(r)->m_size;
+    object ** it = array_cptr(r) + sz;
     *it = v;
     sz++;
     return r;