[array] Change Array.p.sort bailout behavior from fast- to slow-path
This CL fixes a bug where execution would continue on a fast-path even though a previous recursion step bailed to the slow path. This would allow possibly illegal loads that could leak to JS. Drive-by change: Instead of bailing to the slow-path on each recursion step, we now bail completely and start the slow-path afterwards. R=cbruni@chromium.org, jgruber@chromium.org Bug: chromium:854299, v8:7382 Change-Id: Ib2fd5d85dbd0c3894d7775c4f62e053c31b5e5d1 Reviewed-on: https://chromium-review.googlesource.com/1107702 Commit-Queue: Simon Zünd <szuend@google.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53892}
Showing
Please
register
or
sign in
to comment