AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
41024b433f
v8/test/mjsunit/regress/regress-crbug-1077508.js
Simon Zünd a40e093856 Move to slow-path in Array#sort if the array is no longer a FastJSArray 
After sorting the work array but before writing the values back into
the actual receiver, we have an accessor check. This accessor check
needs to be stricter, in order to catch Array prototype protector
cell invalidations.

R=jgruber@chromium.org

Bug: chromium:1077508
Change-Id: I3c3bd4711f9019f9d4423701724319eee9d800a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2187171
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67638}
2020-05-07 08:08:39 +00:00

15 lines
466 B
JavaScript
Raw Blame History

// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const array = [, , , 0, 1, 2];
const comparefn = () => {
Array.prototype.__defineSetter__("0", function () {});
Array.prototype.__defineSetter__("1", function () {});
Array.prototype.__defineSetter__("2", function () {});
};
array.sort(comparefn);
assertArrayEquals([, , , , , , ], array);
Reference in New Issue View Git Blame Copy Permalink