Commit e7ca2b7c authored by Simon Zünd's avatar Simon Zünd Committed by Commit Bot

[array] Fix wrong receiver when copying from the prototype chain

This CL fixes an issue where getters/setters would get called on a
prototype with the wrong receiver. This happens in the pre-processing
for Array.p.sort when values get copied down from the prototype chain.

R=jgruber@chromium.org

Bug: v8:7682
Change-Id: I0d8ff1dc721c33bd721aaca54ffd357b3d2a2096
Reviewed-on: https://chromium-review.googlesource.com/1198767Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55546}
parent 6ecca197
......@@ -303,7 +303,7 @@ Maybe<bool> ConditionalCopy(Isolate* isolate, Handle<JSReceiver> source,
Handle<Object> source_element;
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate, source_element, JSReceiver::GetElement(isolate, source, index),
isolate, source_element, JSReceiver::GetElement(isolate, target, index),
Nothing<bool>());
Handle<Object> set_result;
......
......@@ -215,9 +215,6 @@
# Allocates a huge string and then flattens it, very slow in debug mode.
'regress/regress-752764': [PASS, ['mode == debug', SLOW]],
# https://crbug.com/v8/7682
'regress/regress-v8-7682': [FAIL],
# https://crbug.com/v8/7697
'array-literal-feedback': [PASS, FAIL],
......
......@@ -18,5 +18,9 @@ class MyArrayLike {
const xs = new MyArrayLike();
Array.prototype.sort.call(xs);
assertEquals(1, xs[0]);
assertEquals(2, xs[1]);
// Sort-order is implementation-defined as we actually hit two conditions from
// the spec:
// - "xs" is sparse and IsExtensible(xs) is false (its frozen).
// - "xs" is sparse and the prototype has properties in the sort range.
assertEquals(2, xs[0]);
assertEquals(1, xs[1]);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment