array's data becomes corrupted once exception raised in sort()'s callback
Reported by
skybo...@gmail.com,
Sep 18
|
||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36
Steps to reproduce the problem:
If exception is thrown inside custom callback in Array.prototype.sort there is a chance original data is not just misordered but literally corrupted: one item is absent and another one is duplicated
let a = [1, 3, 2, 6, 4];
let stepToFail = 2;
try {
a.sort((x1, x2) => {
if (!stepToFail--) throw "test";
return x1 - x2;} );
} catch(e) {
console.log(JSON.stringify(a));
}
What is the expected behavior?
items [1, 3, 2, 6, 4] follow in any order; after catching exception it's possible to continue processing data in some way
What went wrong?
[1, 3, 3, 6, 4]; "3" is duplicated, "2" is absent
Did this work before? N/A
Chrome version: 69.0.3497.92 Channel: n/a
OS Version: 10.0
Flash Version:
,
Sep 19
skyboyer@ Thanks for the update. Able to reproduce this issue on Windows 10, Mac OS 10.13.3 and Ubuntu 17.10 on the latest Stable 69.0.3497.100. Issue seems to be fixed on the latest Canary 71.0.3552.2 and Beta 70.0.3538.16. Revert Bisect Information: ========================== Good Build: 70.0.3530.0 Bad Build : 70.0.3531.0 By running Chromium bisect script, all good builds were coming up. Hence below is the manual Changelog URL from omahaproxy. https://chromium.googlesource.com/chromium/src/+log/70.0.3530.0..70.0.3531.0?pretty=fuller&n=10000 From the above Changelog, suspecting the below change: Reviewed-on: https://chromium-review.googlesource.com/1184848 szuend@ Please check and confirm if this issue is related to your change, else help us in assigning to the right owner. Thanks
,
Sep 19
susan.boorgula@ that CL is for the tests, it doesn't change anything in Chrome so it's not relevant. Fixed in r585462 / d21143ef8f069bf5a18f7b3f4c3ec600350794ee "Update V8 to version 7.0.251" Broken since at least Chrome 24, might be as well since the very first version.
,
Sep 19
,
Sep 19
The referenced CL (https://crrev.com/c/1184848) only fixes a broken comparison function in some ChromeOS tests. Array.prototype.sort was re-implemented in Chrome 70.0.3533. That is the reason why there is a change in behavior. Regardless of that change, the above example does not really constitute a bug. The comparison function is not "consistent" and as per spec the resulting sort-order is implementation-defined. That includes "inconsistent state" since the exception can be thrown while looking for the right place to put a value or before it can be written back. |
||||
►
Sign in to add a comment |
||||
Comment 1 by phanindra.mandapaka@chromium.org
, Sep 19