Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: test/mjsunit/array-sort.js

Issue 555173002: Array.prototype.sort: Unchecked calls to hasOwnProperty and push and sort (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Fixed nits Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« src/array.js ('K') | « src/array.js ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/mjsunit/array-sort.js
diff --git a/test/mjsunit/array-sort.js b/test/mjsunit/array-sort.js
index 3fa623a65601e7f6bc42809ff88fa9c2d008f7b1..1de34ecb8168e8d77f040aa0c4ebd286cd6f8af0 100644
--- a/test/mjsunit/array-sort.js
+++ b/test/mjsunit/array-sort.js
@@ -404,3 +404,45 @@ function cmpTest(a, b) {
return a.val - b.val;
}
arr.sort(cmpTest);
+
+function TestSortDoesntDependOnObjectPrototypeHasOwnProperty() {
+ Array.prototype.sort.call({__proto__: { hasOwnProperty: null, 0: 1 },
arv (Not doing code reviews) 2014/09/15 18:05:28 Array.prototype.sort.call({ __proto__: { hasOwnP
+ length: 5});
+
+ var arr = [];
+ Object.defineProperty(arr, "0", {});
arv (Not doing code reviews) 2014/09/15 18:05:28 Now I'm confused again ;-) Don't we treat the '0'
Diego Pino 2014/09/16 09:56:38 Yes, it's the same to use '0' or 0 in this case.
+ arr.hasOwnProperty = null;
+ arr.sort();
+}
+
+TestSortDoesntDependOnObjectPrototypeHasOwnProperty();
+
+function TestSortDoesntDepenOnArrayPrototypePush() {
wingo 2014/09/16 08:47:48 "Depend". Also better to write out DoesNot instea
+ // InsertionSort is used for arrays which length <= 22
+ var arr = [];
+ for (var i = 0; i < 22; i++) arr[i] = {};
+ Array.prototype.push = function() {
+ fail('Should not call push');
arv (Not doing code reviews) 2014/09/15 18:05:28 indent 2 spaces.
+ }
arv (Not doing code reviews) 2014/09/15 18:05:28 ;
+ arr.sort();
+
+ // Quicksort is used for arrays which length > 22
+ // Arrays which length > 1000 guarantee GetThirdIndex is executed
+ arr = [];
+ for (var i = 0; i < 2000; ++i) arr[i] = {};
+ arr.sort();
+}
+
+TestSortDoesntDepenOnArrayPrototypePush();
+
+function TestSortDoesntDepenOnArrayPrototypeSort() {
+ var arr = [];
+ for (var i = 0; i < 2000; i++) arr[i] = {};
+ var sortfn = Array.prototype.sort;
+ Array.prototype.sort = function() {
+ fail('Should not call sort');
+ }
arv (Not doing code reviews) 2014/09/15 18:05:28 ;
+ sortfn.call(arr);
+}
+
+TestSortDoesntDepenOnArrayPrototypeSort();
« src/array.js ('K') | « src/array.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698