[change-array-by-copy] Fix hole handling in toSorted

The wrong iteration length is currently used to check if any element in a sorted worklist is not a Smi. Bug: chromium:1381656, v8:12764 Change-Id: Ia46bb8ec68849696d452c31eb47b2904bba7fa3d Fixed: chromium:1381656 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4010520 Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#84133}
2022-11-07 18:49:32 -08:00 · 2022-11-07 18:49:32 -08:00 · d045209c4d
commit d045209c4d
parent 8c9426b381
2 changed files with 16 additions and 1 deletions
--- a/src/builtins/array-to-sorted.tq
+++ b/src/builtins/array-to-sorted.tq
@ -65,7 +65,8 @@ ArrayTimSortIntoCopy(context: Context, sortState: SortState): JSArray {
      if (sortState.numberOfUndefined != 0) goto FastObject;

      const workArray = sortState.workArray;
-      for (let i: Smi = 0; i < workArray.length; ++i) {
+      dcheck(numberOfNonUndefined <= workArray.length);
+      for (let i: Smi = 0; i < numberOfNonUndefined; ++i) {
        const e = UnsafeCast<JSAny>(workArray.objects[i]);
        // TODO(v8:12764): ArrayTimSortImpl already boxed doubles. Support
        // PACKED_DOUBLE_ELEMENTS.
--- a/test/mjsunit/harmony/regress/regress-crbug-1381656.js
+++ b/test/mjsunit/harmony/regress/regress-crbug-1381656.js
@ -0,0 +1,14 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-change-array-by-copy
+
+// Returning arguments for a function with 1 parameter results in toSorted code
+// initially under-allocating a sorting worklist of length 1 (instead of
+// 2). This then results the worklist growing to length 17, with elements 2-16
+// being holes. The hole values should not be accessed.
+let args = (function(x) {
+  return arguments;
+})(1, 2);
+Array.prototype.toSorted.call(args);