1444bebe76
The array length is modifiable by user code that is called as a side-effect during the sorting algorithm. We thus cannot base any guarantees on the current length, but must reference the initially-read array length instead. Note that even though the algorithm may read and write from beyond the current array length value, this adheres to the spec, which only requires accesses to be within the original array dimensions (i.e.: 0 <= i < original array length). Bug: chromium:901633 Change-Id: Id765e80d4231ff6f2a73e040ec94c2b07f8c5b0f Reviewed-on: https://chromium-review.googlesource.com/c/1317814 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#57279}
25 lines
613 B
JavaScript
25 lines
613 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
const magic0 = 2396;
|
|
const magic1 = 1972;
|
|
|
|
// Fill xs with float arrays.
|
|
const xs = [];
|
|
for (let j = 0; j < magic0; ++j) {
|
|
xs[j] = [j + 0.1];
|
|
}
|
|
|
|
// Sort, but trim the array at some point.
|
|
let cmp_calls = 0;
|
|
xs.sort((lhs, rhs) => {
|
|
lhs = lhs || [0];
|
|
rhs = rhs || [0];
|
|
if (cmp_calls++ == magic1) xs.length = 1;
|
|
return lhs[0] - rhs[0];
|
|
});
|
|
|
|
// The final shape of the array is unspecified since the comparison function is
|
|
// inconsistent.
|