Status: Accepted Owner: [email protected] Labels: Type-Bug Priority-Medium
New issue 201 by [email protected]: array.sort() crash http://code.google.com/p/v8/issues/detail?id=201 The following crashes V8: function testsort(n) { n=1*n; var numbers=new Array(n); for (var i=0;i<n;i++) numbers[i]=i; numbers.sort(); // this crashes when n>5000. } testsort("5001") The problem is that the array length becomes a heap number instead of a smi. This is not handled in JSArray::RemoveHoles. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev -~----------~----~----~----~------~----~------~--~---
