AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
6ff3b3703e
v8/test/mjsunit/regress/regress-crbug-967065.js
Simon Zünd 82f6179c63 [array] Prevent negative work array capacity when sorting 
When allocating large arrays on 32-bit systems, the length conversion
caused the work array capacity to become negative. As the sort range
is currently clamped at kSmiMaxValue anyway, the fix is to also
clamp the work capacity to that value.

R=jgruber@chromium.org

Bug: chromium:967065
Change-Id: I9ea60464c5b7f3796c5389cbaf668b990eddecf6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1630672
Auto-Submit: Simon Zünd <szuend@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61845}
2019-05-27 10:41:44 +00:00

17 lines
503 B
JavaScript
Raw Blame History

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tests that the receiver {length} property conversion works on 32-bit
// systems (i.e. it should not crash).
function ThrowingSort() {
const __v_3 = new Array(2147549152);
Object.defineProperty(__v_3, 0, {
get: () => { throw new Error("Do not actually sort!"); }
});
__v_3.sort();
}
assertThrows(() => ThrowingSort());
Reference in New Issue View Git Blame Copy Permalink