-
Simon Zünd authored
This CL changes the NumberDictionary fast-path for Array.p.sort to throw a TypeError when trying to write to a read-only property. Previously, the fast-path simply bailed to the slow-path which could swallow the TypeError by accident. I.e. because the fast-path could leave the array in an inconsistent state that is already sorted. Example: let arr = new Array(10); Object.defineProperty(arr, 0, {value: 2, writable: false}); Object.defineProperty(arr, 2, {value: 1, writable: false}); arr.sort(); The pre-processing step will move the value 1 to index 1: {0: 2, 1: 1} When trying to swap those 2 values, the fast-path will write the 2 at index 1, then try to write the 1 at index 0 and fail, bailing to the slow-path. As the array looks like {0: 2, 1: 2} its already sorted and the TypeError will not be thrown. R=jgruber@chromium.org Bug: v8:7382, v8:7907 Change-Id: I5d2f2d73478fdca066ce1048dcb2b8301751cb1f Reviewed-on: https://chromium-review.googlesource.com/1122120 Commit-Queue: Simon Zünd <szuend@google.com> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#54150}
93f59dee