Bug 225062 - %TypedArray%.prototype.sort() should not use a regular array as a temp buffer.
Summary: %TypedArray%.prototype.sort() should not use a regular array as a temp buffer.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-04-26 11:28 PDT by Mark Lam
Modified: 2021-04-26 14:04 PDT (History)
8 users (show)

See Also:

Attachments
proposed patch. (2.90 KB, patch)
2021-04-26 11:56 PDT, Mark Lam 		ysuzuki: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2021-04-26 11:28:00 PDT 
rdar://77021547
Comment 1 Mark Lam 2021-04-26 11:56:04 PDT 
Created attachment 427073 [details]
proposed patch.
Comment 2 Yusuke Suzuki 2021-04-26 12:03:52 PDT 
Comment on attachment 427073 [details]
proposed patch.

r=me
Comment 3 Yusuke Suzuki 2021-04-26 12:06:18 PDT 
Comment on attachment 427073 [details]
proposed patch.

Ah, wait. When will we hit 0 accessor? I don't think we should not hit that.
Comment 4 Mark Lam 2021-04-26 12:20:33 PDT 
(In reply to Yusuke Suzuki from comment #3)
> Comment on attachment 427073 [details]
> proposed patch.
> 
> Ah, wait. When will we hit 0 accessor? I don't think we should not hit that.

Builtin typedArrayMerge() does assignment into the dst array, and reads from the src array.  Builtin typedArrayMergeSort() swaps dst and src array for each width iteration.  So, the regular array temp will be accessed as dst and src on different iterations, and accessors can get involved.
Comment 5 Mark Lam 2021-04-26 14:04:32 PDT 
Thanks for the review.  Landed in r276612: <http://trac.webkit.org/r276612>.