Bug 1456973 - Add explicit ToNumber in wrappedCompareFn in TypedArraySort. r=jorendorff
authorAshley Hauck <khyperia@mozilla.com>
Tue, 21 Aug 2018 10:16:00 +0300
changeset 433474 4e65beb5c226
parent 433473 ba637657bbf8
child 433498 a34520293b38
push id107086
push usercsabou@mozilla.com
push dateMon, 27 Aug 2018 15:10:07 +0000
treeherdermozilla-inbound@4e65beb5c226 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjorendorff
bugs1456973
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1456973 - Add explicit ToNumber in wrappedCompareFn in TypedArraySort. r=jorendorff
js/src/builtin/TypedArray.js
js/src/tests/non262/TypedArray/sort-tonumber.js
--- a/js/src/builtin/TypedArray.js
+++ b/js/src/builtin/TypedArray.js
@@ -1208,17 +1208,17 @@ function TypedArraySort(comparefn) {
         }
         return QuickSort(obj, len, TypedArrayCompare);
     }
 
     // To satisfy step 2 from TypedArray SortCompare described in 22.2.3.26
     // the user supplied comparefn is wrapped.
     var wrappedCompareFn = function(x, y) {
         // Step a.
-        var v = comparefn(x, y);
+        var v = +comparefn(x, y);
 
         // Step b.
         var length;
         if (isTypedArray) {
             length = TypedArrayLength(obj);
         } else {
             length = callFunction(CallTypedArrayMethodIfWrapped, obj, "TypedArrayLengthMethod");
         }
new file mode 100644
--- /dev/null
+++ b/js/src/tests/non262/TypedArray/sort-tonumber.js
@@ -0,0 +1,29 @@
+var BUGNUMBER = 230216;
+var summary = 'Ensure ToNumber is called on the result of compareFn inside TypedArray.prototype.sort';
+
+printBugNumber(BUGNUMBER);
+printStatus(summary);
+
+var ta = new Int32Array(4);
+var ab = ta.buffer;
+
+var called = false;
+try {
+  ta.sort(function(a, b) {
+    // IsDetachedBuffer is checked right after calling the compare function.
+    // The order of operations is:
+    // var tmp = compareFn(a, b)
+    // var res = ToNumber(tmp)
+    // if IsDetachedBuffer, throw TypeError
+    // [...]
+    // inspect `res` to determine sorting (calling ToNumber in the process)
+    // So, detach the ArrayBuffer to throw, to make sure we're actually calling ToNumber immediately (as spec'd)
+    detachArrayBuffer(ab);
+    return {
+      [Symbol.toPrimitive]() { called = true; }
+    };
+  });
+} catch (e) { }
+
+if (typeof reportCompare === "function")
+    reportCompare(true, called);