https://bugs.webkit.org/show_bug.cgi?id=191731
<rdar://problem/
46017305>
Reviewed by Saam Barati.
JSTests:
* stress/regress-191731.js: Added.
Source/JavaScriptCore:
This is because if lastIndex is an object with a valueOf() method, it can execute
arbitrary code which may have side effects, and side effects are not permitted by
the RegExp fast paths.
* builtins/RegExpPrototype.js:
(globalPrivate.hasObservableSideEffectsForRegExpMatch):
(overriddenName.string_appeared_here.search):
(globalPrivate.hasObservableSideEffectsForRegExpSplit):
(intrinsic.RegExpTestIntrinsic.test):
* builtins/StringPrototype.js:
(globalPrivate.hasObservableSideEffectsForStringReplace):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238267
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2018-11-15 Mark Lam <mark.lam@apple.com>
+
+ RegExp operations should not take fast patch if lastIndex is not numeric.
+ https://bugs.webkit.org/show_bug.cgi?id=191731
+ <rdar://problem/46017305>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-191731.js: Added.
+
2018-11-13 Saam Barati <sbarati@apple.com>
TypeProfileLog::processLogEntries should stash away any pending exceptions and re-apply them to the VM
--- /dev/null
+function assertEq(actual, expected) {
+ if (actual != expected)
+ throw ("Expected: " + expected + ", actual: " + actual);
+}
+
+function foo(arr, regexp, str) {
+ regexp[Symbol.match](str);
+ arr[1] = 3.54484805889626e-310;
+ return arr[0];
+}
+
+let arr = [1.1, 2.2, 3.3];
+let regexp = /a/y;
+
+for (let i = 0; i < 10000; i++)
+ foo(arr, regexp, "abcd");
+
+regexp.lastIndex = {
+ valueOf: () => {
+ arr[0] = arr;
+ return 0;
+ }
+};
+let result = foo(arr, regexp, "abcd");
+
+assertEq(arr[1], "3.54484805889626e-310");
+assertEq(result, ",3.54484805889626e-310,3.3");
+2018-11-15 Mark Lam <mark.lam@apple.com>
+
+ RegExp operations should not take fast patch if lastIndex is not numeric.
+ https://bugs.webkit.org/show_bug.cgi?id=191731
+ <rdar://problem/46017305>
+
+ Reviewed by Saam Barati.
+
+ This is because if lastIndex is an object with a valueOf() method, it can execute
+ arbitrary code which may have side effects, and side effects are not permitted by
+ the RegExp fast paths.
+
+ * builtins/RegExpPrototype.js:
+ (globalPrivate.hasObservableSideEffectsForRegExpMatch):
+ (overriddenName.string_appeared_here.search):
+ (globalPrivate.hasObservableSideEffectsForRegExpSplit):
+ (intrinsic.RegExpTestIntrinsic.test):
+ * builtins/StringPrototype.js:
+ (globalPrivate.hasObservableSideEffectsForStringReplace):
+
2018-11-15 Keith Rollin <krollin@apple.com>
Delete old .xcfilelist files
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
{
"use strict";
+ if (!@isRegExpObject(regexp))
+ return true;
+
// This is accessed by the RegExpExec internal function.
let regexpExec = @tryGetById(regexp, "exec");
if (regexpExec !== @regExpBuiltinExec)
if (regexpUnicode !== @regExpProtoUnicodeGetter)
return true;
- return !@isRegExpObject(regexp);
+ return typeof regexp.lastIndex !== "number";
}
@globalPrivate
let regexp = this;
// Check for observable side effects and call the fast path if there aren't any.
- if (@isRegExpObject(regexp) && @tryGetById(regexp, "exec") === @regExpBuiltinExec)
+ if (@isRegExpObject(regexp)
+ && @tryGetById(regexp, "exec") === @regExpBuiltinExec
+ && typeof regexp.lastIndex === "number")
return @regExpSearchFast.@call(regexp, strArg);
// 1. Let rx be the this value.
{
"use strict";
+ if (!@isRegExpObject(regexp))
+ return true;
+
// This is accessed by the RegExpExec internal function.
let regexpExec = @tryGetById(regexp, "exec");
if (regexpExec !== @regExpBuiltinExec)
let regexpSource = @tryGetById(regexp, "source");
if (regexpSource !== @regExpProtoSourceGetter)
return true;
-
- return !@isRegExpObject(regexp);
+
+ return typeof regexp.lastIndex !== "number";
}
// ES 21.2.5.11 RegExp.prototype[@@split](string, limit)
let regexp = this;
// Check for observable side effects and call the fast path if there aren't any.
- if (@isRegExpObject(regexp) && @tryGetById(regexp, "exec") === @regExpBuiltinExec)
+ if (@isRegExpObject(regexp)
+ && @tryGetById(regexp, "exec") === @regExpBuiltinExec
+ && typeof regexp.lastIndex === "number")
return @regExpTestFast.@call(regexp, strArg);
// 1. Let R be the this value.
/*
* Copyright (C) 2015 Andy VanWagoner <andy@vanwagoner.family>.
* Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
{
"use strict";
+ if (!@isRegExpObject(regexp))
+ return true;
+
if (replacer !== @regExpPrototypeSymbolReplace)
return true;
if (regexpUnicode !== @regExpProtoUnicodeGetter)
return true;
- return !@isRegExpObject(regexp);
+ return typeof regexp.lastIndex !== "number";
}
@intrinsic=StringPrototypeReplaceIntrinsic
git://git.webkit.org / WebKit-https.git / commitdiff