[change-array-by-copy] Allow LO allocation in Array#toSorted

Bug: v8:12764, chromium:1367136
Change-Id: Ia73f507bf480035d883be1bb5189a5b464327d29
Fixed: chromium:1367136
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916281
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83403}

src/builtins/array-to-sorted.tq

@@ -15,7 +15,8 @@ CopyWorkArrayToNewFastJSArray(implicit context: Context, sortState: SortState)(
   dcheck(len <= kMaxFastArrayLength);
 
   const copy: FixedArray = UnsafeCast<FixedArray>(AllocateFixedArray(
-      elementsKind, Convert<intptr>(len), AllocationFlag::kNone));
+      elementsKind, Convert<intptr>(len),
+      AllocationFlag::kAllowLargeObjectAllocation));
 
   const workArray = sortState.workArray;
   CopyElements(

test/mjsunit/harmony/array-to-sorted.js

@@ -94,6 +94,12 @@ TestToSortedBasicBehaviorHelper({ length: 4,
   assertEquals(0, a.length);
 })();
 
+(function TestBig() {
+  const a = [];
+  a[50001] = 42.42;
+  a.toSorted();
+})();
+
 (function TestTooBig() {
   const a = { length: Math.pow(2, 32) };
   assertThrows(() => Array.prototype.toSorted.call(a), RangeError);