Commit a40e0938 authored by Simon Zünd's avatar Simon Zünd Committed by Commit Bot

Move to slow-path in Array#sort if the array is no longer a FastJSArray

After sorting the work array but before writing the values back into
the actual receiver, we have an accessor check. This accessor check
needs to be stricter, in order to catch Array prototype protector
cell invalidations.

R=jgruber@chromium.org

Bug: chromium:1077508
Change-Id: I3c3bd4711f9019f9d4423701724319eee9d800a1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2187171Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67638}
parent 74bd2cf0
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
const array = [, , , 0, 1, 2];
const comparefn = () => {
Array.prototype.__defineSetter__("0", function () {});
Array.prototype.__defineSetter__("1", function () {});
Array.prototype.__defineSetter__("2", function () {});
};
array.sort(comparefn);
assertArrayEquals([, , , , , , ], array);
...@@ -21,6 +21,8 @@ namespace array { ...@@ -21,6 +21,8 @@ namespace array {
} }
macro CheckAccessor(implicit context: Context)() labels Bailout { macro CheckAccessor(implicit context: Context)() labels Bailout {
if (!IsFastJSArray(this.receiver, context)) goto Bailout;
const canUseSameAccessorFn: CanUseSameAccessorFn = const canUseSameAccessorFn: CanUseSameAccessorFn =
this.canUseSameAccessorFn; this.canUseSameAccessorFn;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment