Move to slow-path in Array#sort if the array is no longer a FastJSArray

After sorting the work array but before writing the values back into
the actual receiver, we have an accessor check. This accessor check
needs to be stricter, in order to catch Array prototype protector
cell invalidations.

R=jgruber@chromium.org

Bug: chromium:1077508
Change-Id: I3c3bd4711f9019f9d4423701724319eee9d800a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2187171
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67638}
This commit is contained in:
Simon Zünd 2020-05-07 09:23:50 +02:00 committed by Commit Bot
parent 74bd2cf083
commit a40e093856
2 changed files with 16 additions and 0 deletions

View File

@ -0,0 +1,14 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const array = [, , , 0, 1, 2];
const comparefn = () => {
Array.prototype.__defineSetter__("0", function () {});
Array.prototype.__defineSetter__("1", function () {});
Array.prototype.__defineSetter__("2", function () {});
};
array.sort(comparefn);
assertArrayEquals([, , , , , , ], array);

View File

@ -21,6 +21,8 @@ namespace array {
} }
macro CheckAccessor(implicit context: Context)() labels Bailout { macro CheckAccessor(implicit context: Context)() labels Bailout {
if (!IsFastJSArray(this.receiver, context)) goto Bailout;
const canUseSameAccessorFn: CanUseSameAccessorFn = const canUseSameAccessorFn: CanUseSameAccessorFn =
this.canUseSameAccessorFn; this.canUseSameAccessorFn;