AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[change-array-by-copy] Allow LO allocation in Array#toSorted

Browse Source 
Bug: v8:12764, chromium:1367136
Change-Id: Ia73f507bf480035d883be1bb5189a5b464327d29
Fixed: chromium:1367136
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916281
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83403}
This commit is contained in:
Shu-yu Guo 2022-09-23 11:24:01 -07:00 committed by V8 LUCI CQ
parent 0cccb6f27d
commit 17359d84c8
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/builtins/array-to-sorted.tq
View File

@ -15,7 +15,8 @@ CopyWorkArrayToNewFastJSArray(implicit context: Context, sortState: SortState)(
dcheck(len <= kMaxFastArrayLength);
const copy: FixedArray = UnsafeCast<FixedArray>(AllocateFixedArray(
elementsKind, Convert<intptr>(len), AllocationFlag::kNone));
elementsKind, Convert<intptr>(len),
AllocationFlag::kAllowLargeObjectAllocation));
const workArray = sortState.workArray;
CopyElements(

6
test/mjsunit/harmony/array-to-sorted.js
View File

@ -94,6 +94,12 @@ TestToSortedBasicBehaviorHelper({ length: 4,
assertEquals(0, a.length);
})();
(function TestBig() {
const a = [];
a[50001] = 42.42;
a.toSorted();
})();
(function TestTooBig() {
const a = { length: Math.pow(2, 32) };
assertThrows(() => Array.prototype.toSorted.call(a), RangeError);