RESOLVED FIXED225062
%TypedArray%.prototype.sort() should not use a regular array as a temp buffer. 
https://bugs.webkit.org/show_bug.cgi?id=225062
Summary %TypedArray%.prototype.sort() should not use a regular array as a temp buffer.
Mark Lam
Reported 2021-04-26 11:28:00 PDT
rdar://77021547
Attachments
proposed patch. (2.90 KB, patch)
2021-04-26 11:56 PDT, Mark Lam 		ysuzuki: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2021-04-26 11:56:04 PDT
Created attachment 427073 [details] proposed patch.
Yusuke Suzuki
Comment 2 2021-04-26 12:03:52 PDT
Comment on attachment 427073 [details] proposed patch. r=me
Yusuke Suzuki
Comment 3 2021-04-26 12:06:18 PDT
Comment on attachment 427073 [details] proposed patch. Ah, wait. When will we hit 0 accessor? I don't think we should not hit that.
Mark Lam
Comment 4 2021-04-26 12:20:33 PDT
(In reply to Yusuke Suzuki from comment #3) > Comment on attachment 427073 [details] > proposed patch. > > Ah, wait. When will we hit 0 accessor? I don't think we should not hit that. Builtin typedArrayMerge() does assignment into the dst array, and reads from the src array. Builtin typedArrayMergeSort() swaps dst and src array for each width iteration. So, the regular array temp will be accessed as dst and src on different iterations, and accessors can get involved.
Mark Lam
Comment 5 2021-04-26 14:04:32 PDT
Thanks for the review. Landed in r276612: <http://trac.webkit.org/r276612>.
Note You need to log in before you can comment on or make changes to this bug.