e7ca2b7cfe
This CL fixes an issue where getters/setters would get called on a prototype with the wrong receiver. This happens in the pre-processing for Array.p.sort when values get copied down from the prototype chain. R=jgruber@chromium.org Bug: v8:7682 Change-Id: I0d8ff1dc721c33bd721aaca54ffd357b3d2a2096 Reviewed-on: https://chromium-review.googlesource.com/1198767 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Simon Zünd <szuend@google.com> Cr-Commit-Position: refs/heads/master@{#55546}
27 lines
813 B
JavaScript
27 lines
813 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
const impl = Symbol();
|
|
class MyArrayLike {
|
|
constructor() {
|
|
this[impl] = [2, 1];
|
|
Object.freeze(this);
|
|
}
|
|
get 0() { return this[impl][0]; }
|
|
set 0(value) { this[impl][0] = value; }
|
|
get 1() { return this[impl][1]; }
|
|
set 1(value) { this[impl][1] = value; }
|
|
get length() { return 2; }
|
|
}
|
|
|
|
const xs = new MyArrayLike();
|
|
Array.prototype.sort.call(xs);
|
|
|
|
// Sort-order is implementation-defined as we actually hit two conditions from
|
|
// the spec:
|
|
// - "xs" is sparse and IsExtensible(xs) is false (its frozen).
|
|
// - "xs" is sparse and the prototype has properties in the sort range.
|
|
assertEquals(2, xs[0]);
|
|
assertEquals(1, xs[1]);
|