src/objects.cc - Issue 2664173002: Throw when a holey property is set in Array.sort

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 2664173002: Throw when a holey property is set in Array.sort (Closed)

Patch Set: Patch PrepareSlowElementsForSort directly Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index 8c05ff8bdd3e07349b54771eed2d323b41614d74..7987db28c14b470a809f2db02606b5b419f45d85 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -16799,6 +16799,7 @@ Handle<Object> JSObject::PrepareSlowElementsForSort(

uint32_t pos = 0;

uint32_t undefs = 0;

int capacity = dict->Capacity();

+ bool is_extensible = JSObject::IsExtensible(object);

adamk 2017/02/07 00:23:46 Please add a DCHECK to JSObject::PrepareElementsFo

Choongwoo Han 2017/02/07 09:45:49 Done.

Handle<Smi> bailout(Smi::FromInt(-1), isolate);

// Entry to the new dictionary does not cause it to grow, as we have

// allocated one that is large enough for all entries.

@@ -16822,29 +16823,23 @@ Handle<Object> JSObject::PrepareSlowElementsForSort(

}

uint32_t key = NumberToUint32(k);

- if (key < limit) {

- if (value->IsUndefined(isolate)) {

- undefs++;

- } else if (pos > static_cast<uint32_t>(Smi::kMaxValue)) {

- // Adding an entry with the key beyond smi-range requires

- // allocation. Bailout.

- return bailout;

- } else {

- Handle<Object> result = SeededNumberDictionary::AddNumberEntry(

- new_dict, pos, value, details, object);

- DCHECK(result.is_identical_to(new_dict));

- USE(result);

- pos++;

- }

- } else if (key > static_cast<uint32_t>(Smi::kMaxValue)) {

+ uint32_t new_pos = key < limit ? pos : key;

+ if (key < limit && value->IsUndefined(isolate)) {

+ undefs++;

+ } else if (new_pos > static_cast<uint32_t>(Smi::kMaxValue)) {

// Adding an entry with the key beyond smi-range requires

// allocation. Bailout.

return bailout;

+ } else if (!is_extensible && !dict->Has(isolate, new_pos)) {

+ return bailout;

} else {

Handle<Object> result = SeededNumberDictionary::AddNumberEntry(

- new_dict, key, value, details, object);

+ new_dict, new_pos, value, details, object);

DCHECK(result.is_identical_to(new_dict));

USE(result);

+ if (key < limit) {

+ pos++;

+ }

}

« no previous file with comments | « no previous file | test/mjsunit/array-sort.js » ('j') | test/mjsunit/array-sort.js » ('J')