Fix Array.prototype.sort for *_STRING_WRAPPER_ELEMENTS
Trying to sort a string should throw a TypeError, proper handling of elements just needs to get out of the way. BUG=chromium:584188 LOG=n R=cbruni@chromium.org Review URL: https://codereview.chromium.org/1670153002 Cr-Commit-Position: refs/heads/master@{#33777}
This commit is contained in:
parent
59b922fb4e
commit
5d2c09a829
@ -17619,6 +17619,11 @@ Handle<Object> JSObject::PrepareElementsForSort(Handle<JSObject> object,
|
||||
return handle(Smi::FromInt(-1), isolate);
|
||||
}
|
||||
|
||||
if (object->HasStringWrapperElements()) {
|
||||
int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
|
||||
return handle(Smi::FromInt(len), isolate);
|
||||
}
|
||||
|
||||
if (object->HasDictionaryElements()) {
|
||||
// Convert to fast elements containing only the existing properties.
|
||||
// Ordering is irrelevant, since we are going to sort anyway.
|
||||
|
@ -199,6 +199,15 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
|
||||
CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0);
|
||||
CONVERT_NUMBER_CHECKED(uint32_t, length, Uint32, args[1]);
|
||||
|
||||
if (array->HasFastStringWrapperElements()) {
|
||||
int string_length =
|
||||
String::cast(Handle<JSValue>::cast(array)->value())->length();
|
||||
int backing_store_length = array->elements()->length();
|
||||
return *isolate->factory()->NewNumberFromUint(
|
||||
Min(length,
|
||||
static_cast<uint32_t>(Max(string_length, backing_store_length))));
|
||||
}
|
||||
|
||||
if (!array->elements()->IsDictionary()) {
|
||||
RUNTIME_ASSERT(array->HasFastSmiOrObjectElements() ||
|
||||
array->HasFastDoubleElements());
|
||||
@ -207,7 +216,7 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
|
||||
}
|
||||
|
||||
KeyAccumulator accumulator(isolate, OWN_ONLY, ALL_PROPERTIES);
|
||||
// No need to separate protoype levels since we only get numbers/element keys
|
||||
// No need to separate prototype levels since we only get element keys.
|
||||
for (PrototypeIterator iter(isolate, array,
|
||||
PrototypeIterator::START_AT_RECEIVER);
|
||||
!iter.IsAtEnd(); iter.Advance()) {
|
||||
|
10
test/mjsunit/regress/regress-crbug-584188.js
Normal file
10
test/mjsunit/regress/regress-crbug-584188.js
Normal file
@ -0,0 +1,10 @@
|
||||
// Copyright 2016 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
var x = {};
|
||||
try {
|
||||
Object.defineProperty(String.prototype, "3", { x: function() { x = v; }});
|
||||
string = "bla";
|
||||
} catch(e) {; }
|
||||
assertThrows("Array.prototype.sort.call(string);", TypeError);
|
Loading…
Reference in New Issue
Block a user