From cbdf814ee25841ce2130e6d58b0ac607b508f045 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Tue, 15 May 2018 13:41:26 +0200
Subject: [PATCH] Handle undefined and unset array slots separately in
 Array.prototype.sort.

---
 jsarray.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/jsarray.c b/jsarray.c
index 46599e3..cf0aee6 100644
--- a/jsarray.c
+++ b/jsarray.c
@@ -288,7 +288,7 @@ static int sortcmp(const void *avoid, const void *bvoid)
 static void Ap_sort(js_State *J)
 {
 	struct sortslot *array = NULL;
-	int i, len;
+	int i, n, len;
 
 	len = js_getlength(J, 0);
 
@@ -298,19 +298,25 @@ static void Ap_sort(js_State *J)
 		js_throw(J);
 	}
 
+	n = 0;
 	for (i = 0; i < len; ++i) {
-		js_getindex(J, 0, i);
-		array[i].v = *js_tovalue(J, -1);
-		array[i].J = J;
-		js_pop(J, 1);
+		if (js_hasindex(J, 0, i)) {
+			array[n].v = *js_tovalue(J, -1);
+			array[n].J = J;
+			js_pop(J, 1);
+			++n;
+		}
 	}
 
-	qsort(array, len, sizeof *array, sortcmp);
+	qsort(array, n, sizeof *array, sortcmp);
 
-	for (i = 0; i < len; ++i) {
+	for (i = 0; i < n; ++i) {
 		js_pushvalue(J, array[i].v);
 		js_setindex(J, 0, i);
 	}
+	for (i = n; i < len; ++i) {
+		js_delindex(J, 0, i);
+	}
 
 	js_endtry(J);
 	js_free(J, array);