Bug 225062

Summary:

%TypedArray%.prototype.sort() should not use a regular array as a temp buffer.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, joepeck, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	ysuzuki: review+

Description Mark Lam 2021-04-26 11:28:00 PDT

rdar://77021547

Comment 1 Mark Lam 2021-04-26 11:56:04 PDT

Created attachment 427073 [details]
proposed patch.

Comment 2 Yusuke Suzuki 2021-04-26 12:03:52 PDT

Comment on attachment 427073 [details]
proposed patch.

r=me

Comment 3 Yusuke Suzuki 2021-04-26 12:06:18 PDT

Comment on attachment 427073 [details]
proposed patch.

Ah, wait. When will we hit 0 accessor? I don't think we should not hit that.

Comment 4 Mark Lam 2021-04-26 12:20:33 PDT

(In reply to Yusuke Suzuki from comment #3)
> Comment on attachment 427073 [details]
> proposed patch.
> 
> Ah, wait. When will we hit 0 accessor? I don't think we should not hit that.

Builtin typedArrayMerge() does assignment into the dst array, and reads from the src array.  Builtin typedArrayMergeSort() swaps dst and src array for each width iteration.  So, the regular array temp will be accessed as dst and src on different iterations, and accessors can get involved.

Comment 5 Mark Lam 2021-04-26 14:04:32 PDT

Thanks for the review.  Landed in r276612: <http://trac.webkit.org/r276612>.