[typedarrays] Fix Out of Bound Access in TypedArraySortFast

Compare function for std::sort should satisfy strict weak ordering relation. BUG=chromium:696251 Change-Id: I1c07e3bb1b012fd203bc059a21a75ae0fc61f5ac Reviewed-on: https://chromium-review.googlesource.com/447036Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#43446}

[typedarrays] Fix Out of Bound Access in TypedArraySortFast
Compare function for std::sort should satisfy strict weak ordering relation. BUG=chromium:696251 Change-Id: I1c07e3bb1b012fd203bc059a21a75ae0fc61f5ac Reviewed-on: https://chromium-review.googlesource.com/447036Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#43446}
cd3a76d5 · Choongwoo Han · Commit Bot · 1ed1622e · cd3a76d5 · cd3a76d5
Commit cd3a76d5 authored Feb 27, 2017 by Choongwoo Han Committed by Commit Bot Feb 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 6 deletions

runtime-typedarray.cc src/runtime/runtime-typedarray.cc +11 -6

regress-696251.js test/mjsunit/regress/regress-696251.js +7 -0

No files found.
--- a/src/runtime/runtime-typedarray.cc
+++ b/src/runtime/runtime-typedarray.cc
@@ -375,12 +375,17 @@ namespace {
      return true;                                                \
    } else if (x > y) {                                           \
      return false;                                               \
-    } else if (x == 0 && x == y) {                                \
-      return std::signbit(static_cast<double>(x)) ? true : false; \
-    } else if (std::isnan(static_cast<double>(x))) {              \
-      return false;                                               \
+    } else {                                                      \
+      double _x = x, _y = y;                                      \
+      if (x == 0 && x == y) {                                     \
+        /* -0.0 is less than +0.0 */                              \
+        return std::signbit(_x) && !std::signbit(_y);             \
+      } else if (!std::isnan(_x) && std::isnan(_y)) {             \
+        /* number is less than NaN */                             \
+        return true;                                              \
+      }                                                           \
    }                                                             \
-    return true;                                                  \
+    return false;                                                 \
  }

 TYPED_ARRAYS(TYPED_ARRAY_SORT_COMPAREFN)
@@ -399,7 +404,7 @@ RUNTIME_FUNCTION(Runtime_TypedArraySortFast) {
  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
      isolate, array, JSTypedArray::Validate(isolate, target_obj, method));

-  // This line can be remove when JSTypedArray::Validate throws
+  // This line can be removed when JSTypedArray::Validate throws
  // if array.[[ViewedArrayBuffer]] is neutered(v8:4648)
  if (V8_UNLIKELY(array->WasNeutered())) return *array;


--- a/test/mjsunit/regress/regress-696251.js
+++ b/test/mjsunit/regress/regress-696251.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = new Uint8Array(1000);
+a.fill(255);
+a.sort();