Skip to content

V
V8
Commit 5d2c09a8 authored by jkummerow's avatar jkummerow Committed by Commit bot
Browse files
Options

Fix Array.prototype.sort for *_STRING_WRAPPER_ELEMENTS 

Trying to sort a string should throw a TypeError, proper handling
of elements just needs to get out of the way.

BUG=chromium:584188
LOG=n
R=cbruni@chromium.org

Review URL: https://codereview.chromium.org/1670153002

Cr-Commit-Position: refs/heads/master@{#33777}
parent 59b922fb
Hide whitespace changes
Inline Side-by-side
Showing with 25 additions and 1 deletion
src/objects.cc
View file @ 5d2c09a8
...@@ -17619,6 +17619,11 @@ Handle<Object> JSObject::PrepareElementsForSort(Handle<JSObject> object, ...@@ -17619,6 +17619,11 @@ Handle<Object> JSObject::PrepareElementsForSort(Handle<JSObject> object,
return handle(Smi::FromInt(-1), isolate); return handle(Smi::FromInt(-1), isolate);
} }
if (object->HasStringWrapperElements()) {
int len = String::cast(Handle<JSValue>::cast(object)->value())->length();
return handle(Smi::FromInt(len), isolate);
}
if (object->HasDictionaryElements()) { if (object->HasDictionaryElements()) {
// Convert to fast elements containing only the existing properties. // Convert to fast elements containing only the existing properties.
// Ordering is irrelevant, since we are going to sort anyway. // Ordering is irrelevant, since we are going to sort anyway.
......
src/runtime/runtime-array.cc
View file @ 5d2c09a8
...@@ -199,6 +199,15 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) { ...@@ -199,6 +199,15 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0); CONVERT_ARG_HANDLE_CHECKED(JSObject, array, 0);
CONVERT_NUMBER_CHECKED(uint32_t, length, Uint32, args[1]); CONVERT_NUMBER_CHECKED(uint32_t, length, Uint32, args[1]);
if (array->HasFastStringWrapperElements()) {
int string_length =
String::cast(Handle<JSValue>::cast(array)->value())->length();
int backing_store_length = array->elements()->length();
return *isolate->factory()->NewNumberFromUint(
Min(length,
static_cast<uint32_t>(Max(string_length, backing_store_length))));
}
if (!array->elements()->IsDictionary()) { if (!array->elements()->IsDictionary()) {
RUNTIME_ASSERT(array->HasFastSmiOrObjectElements() || RUNTIME_ASSERT(array->HasFastSmiOrObjectElements() ||
array->HasFastDoubleElements()); array->HasFastDoubleElements());
...@@ -207,7 +216,7 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) { ...@@ -207,7 +216,7 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
} }
KeyAccumulator accumulator(isolate, OWN_ONLY, ALL_PROPERTIES); KeyAccumulator accumulator(isolate, OWN_ONLY, ALL_PROPERTIES);
// No need to separate protoype levels since we only get numbers/element keys // No need to separate prototype levels since we only get element keys.
for (PrototypeIterator iter(isolate, array, for (PrototypeIterator iter(isolate, array,
PrototypeIterator::START_AT_RECEIVER); PrototypeIterator::START_AT_RECEIVER);
!iter.IsAtEnd(); iter.Advance()) { !iter.IsAtEnd(); iter.Advance()) {
......
test/mjsunit/regress/regress-crbug-584188.js 0 → 100644
View file @ 5d2c09a8
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var x = {};
try {
Object.defineProperty(String.prototype, "3", { x: function() { x = v; }});
string = "bla";
} catch(e) {; }
assertThrows("Array.prototype.sort.call(string);", TypeError);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment