Move to slow-path in Array#sort if the array is no longer a FastJSArray

After sorting the work array but before writing the values back into the actual receiver, we have an accessor check. This accessor check needs to be stricter, in order to catch Array prototype protector cell invalidations. R=jgruber@chromium.org Bug: chromium:1077508 Change-Id: I3c3bd4711f9019f9d4423701724319eee9d800a1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2187171 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Simon Zünd <szuend@chromium.org> Cr-Commit-Position: refs/heads/master@{#67638}
2020-05-07 09:23:50 +02:00 · 2020-05-07 09:23:50 +02:00 · a40e093856
commit a40e093856
parent 74bd2cf083
2 changed files with 16 additions and 0 deletions
--- a/test/mjsunit/regress/regress-crbug-1077508.js
+++ b/test/mjsunit/regress/regress-crbug-1077508.js
@ -0,0 +1,14 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const array = [, , , 0, 1, 2];
+const comparefn = () => {
+  Array.prototype.__defineSetter__("0", function () {});
+  Array.prototype.__defineSetter__("1", function () {});
+  Array.prototype.__defineSetter__("2", function () {});
+};
+
+array.sort(comparefn);
+
+assertArrayEquals([, , , , , , ], array);
--- a/third_party/v8/builtins/array-sort.tq
+++ b/third_party/v8/builtins/array-sort.tq
@ -21,6 +21,8 @@ namespace array {
    }

    macro CheckAccessor(implicit context: Context)() labels Bailout {
+      if (!IsFastJSArray(this.receiver, context)) goto Bailout;
+
      const canUseSameAccessorFn: CanUseSameAccessorFn =
          this.canUseSameAccessorFn;