[change-array-by-copy] Fix hole handling in toSorted

The wrong iteration length is currently used to check if any element in
a sorted worklist is not a Smi.

Bug: chromium:1381656, v8:12764
Change-Id: Ia46bb8ec68849696d452c31eb47b2904bba7fa3d
Fixed: chromium:1381656
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4010520
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84133}
This commit is contained in:
Shu-yu Guo 2022-11-07 18:49:32 -08:00 committed by V8 LUCI CQ
parent 8c9426b381
commit d045209c4d
2 changed files with 16 additions and 1 deletions

View File

@ -65,7 +65,8 @@ ArrayTimSortIntoCopy(context: Context, sortState: SortState): JSArray {
if (sortState.numberOfUndefined != 0) goto FastObject; if (sortState.numberOfUndefined != 0) goto FastObject;
const workArray = sortState.workArray; const workArray = sortState.workArray;
for (let i: Smi = 0; i < workArray.length; ++i) { dcheck(numberOfNonUndefined <= workArray.length);
for (let i: Smi = 0; i < numberOfNonUndefined; ++i) {
const e = UnsafeCast<JSAny>(workArray.objects[i]); const e = UnsafeCast<JSAny>(workArray.objects[i]);
// TODO(v8:12764): ArrayTimSortImpl already boxed doubles. Support // TODO(v8:12764): ArrayTimSortImpl already boxed doubles. Support
// PACKED_DOUBLE_ELEMENTS. // PACKED_DOUBLE_ELEMENTS.

View File

@ -0,0 +1,14 @@
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-change-array-by-copy
// Returning arguments for a function with 1 parameter results in toSorted code
// initially under-allocating a sorting worklist of length 1 (instead of
// 2). This then results the worklist growing to length 17, with elements 2-16
// being holes. The hole values should not be accessed.
let args = (function(x) {
return arguments;
})(1, 2);
Array.prototype.toSorted.call(args);