0855fb151b
PrepareElementsForSort must return a number less than or equal the array length. Bug: chromium:897512, v8:7382 Change-Id: If5f9c4d052e623ab9f3300b8534603abbee859fa Reviewed-on: https://chromium-review.googlesource.com/c/1297958 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#56982}
25 lines
658 B
JavaScript
25 lines
658 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Fill up the Array prototype's elements.
|
|
for (let i = 0; i < 100; i++) Array.prototype.unshift(3.14);
|
|
|
|
// Create a holey double elements array.
|
|
const o31 = [1.1];
|
|
o31[37] = 2.2;
|
|
|
|
// Concat converts to dictionary elements.
|
|
const o51 = o31.concat(false);
|
|
|
|
// Set one element to undefined to trigger the movement bug.
|
|
o51[0] = undefined;
|
|
|
|
assertEquals(o51.length, 39);
|
|
|
|
// Sort triggers the bug.
|
|
o51.sort();
|
|
|
|
// TODO(chromium:897512): The length should be 39.
|
|
assertEquals(o51.length, 101);
|