ce3c0064cd
This CL fixes a bug that allowed OOB read/stores on fastpaths when a comparison function caused the underlying FixedArray to change while keeping the elements kinds and size property on the original JSArray the same. R=jgruber@chromium.org Bug: chromium:852592 Change-Id: I09af357d10e7f41e75241e4c87430fc9aa806f8c Reviewed-on: https://chromium-review.googlesource.com/1104158 Commit-Queue: Simon Zünd <szuend@google.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#53811}
26 lines
554 B
JavaScript
26 lines
554 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
const kArraySize = 1024;
|
|
|
|
let array = [];
|
|
for (let i = 1; i < kArraySize; ++i) {
|
|
array[i] = i + 0.1;
|
|
}
|
|
|
|
assertEquals(array.length, kArraySize);
|
|
|
|
let executed = false;
|
|
compareFn = _ => {
|
|
if (!executed) {
|
|
executed = true;
|
|
|
|
array.length = 1; // shrink
|
|
array.length = 0; // replace
|
|
array.length = kArraySize; // restore the original length
|
|
}
|
|
}
|
|
|
|
array.sort(compareFn);
|