Array.prototype.sort: Unchecked calls to hasOwnProperty and push and sort

test/mjsunit/array-sort.js

Index: test/mjsunit/array-sort.js
diff --git a/test/mjsunit/array-sort.js b/test/mjsunit/array-sort.js
index 3fa623a65601e7f6bc42809ff88fa9c2d008f7b1..62755426ade76675c0e84f333ce18146d229d595 100644
--- a/test/mjsunit/array-sort.js
+++ b/test/mjsunit/array-sort.js
@@ -404,3 +404,47 @@ function cmpTest(a, b) {
   return a.val - b.val;
 }
 arr.sort(cmpTest);
+
+function TestSortDoesNotDependOnObjectPrototypeHasOwnProperty() {
+  Array.prototype.sort.call({
+    __proto__: { hasOwnProperty: null, 0: 1 },
+    length: 5
+  });
+
+  var arr = new Array(2);
+  Object.defineProperty(arr, 0, { get: function() {}, set: function() {} });
+  arr.hasOwnProperty = null;
+  arr.sort();
+}
+
+TestSortDoesNotDependOnObjectPrototypeHasOwnProperty();
+
+function TestSortDoesNotDependOnArrayPrototypePush() {
+  // InsertionSort is used for arrays which length <= 22
+  var arr = [];
+  for (var i = 0; i < 22; i++) arr[i] = {};
+  Array.prototype.push = function() {
+    fail('Should not call push');
+  };
+  arr.sort();
+
+  // Quicksort is used for arrays which length > 22
+  // Arrays which length > 1000 guarantee GetThirdIndex is executed
+  arr = [];
+  for (var i = 0; i < 2000; ++i) arr[i] = {};
+  arr.sort();
+}
+
+TestSortDoesNotDependOnArrayPrototypePush();
+
+function TestSortDoesNotDependOnArrayPrototypeSort() {
+  var arr = [];
+  for (var i = 0; i < 2000; i++) arr[i] = {};
+  var sortfn = Array.prototype.sort;
+  Array.prototype.sort = function() {
+    fail('Should not call sort');
+  };
+  sortfn.call(arr);
+}
+
+TestSortDoesNotDependOnArrayPrototypeSort();