[webkit-changes] [258801] trunk

[ross . kirsling]

Title: [258801] trunk

Revision

258801

Author

ross.kirsl...@sony.com

Date

2020-03-20 17:38:45 -0700 (Fri, 20 Mar 2020)

Log Message

hasObservableSideEffectsForRegExpSplit doesn't check for @@match override
https://bugs.webkit.org/show_bug.cgi?id=209363

Reviewed by Michael Saboff.

JSTests:

* test262/expectations.yaml:
Mark two test cases as passing.

Source/_javascript_Core:

Our RegExp.prototype[@@split] implementation has a fast path for unadultered RegExp objects,
but we're using that fast path even when @@match has been overridden.

This is illegitimate because the RegExp species constructor calls IsRegExp, which hits the @@match getter.

* builtins/BuiltinNames.h:
* builtins/RegExpPrototype.js:
(globalPrivate.hasObservableSideEffectsForRegExpSplit):
* bytecode/LinkTimeConstant.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/JSTests/test262/expectations.yaml
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/builtins/BuiltinNames.h
• trunk/Source/_javascript_Core/builtins/RegExpPrototype.js
• trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h
• trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp

Diff

Modified: trunk/JSTests/ChangeLog (258800 => 258801)

--- trunk/JSTests/ChangeLog	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/JSTests/ChangeLog	2020-03-21 00:38:45 UTC (rev 258801)
@@ -1,5 +1,15 @@
 2020-03-20  Ross Kirsling  <ross.kirsl...@sony.com>
 
+        hasObservableSideEffectsForRegExpSplit doesn't check for @@match override
+        https://bugs.webkit.org/show_bug.cgi?id=209363
+
+        Reviewed by Michael Saboff.
+
+        * test262/expectations.yaml:
+        Mark two test cases as passing.
+
+2020-03-20  Ross Kirsling  <ross.kirsl...@sony.com>
+
         RegExp.prototype[@@replace] doesn't coerce result index to integer
         https://bugs.webkit.org/show_bug.cgi?id=209323
 

Modified: trunk/JSTests/test262/expectations.yaml (258800 => 258801)

--- trunk/JSTests/test262/expectations.yaml	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/JSTests/test262/expectations.yaml	2020-03-21 00:38:45 UTC (rev 258801)
@@ -8,9 +8,6 @@
 test/annexB/built-ins/Function/createdynfn-no-line-terminator-html-close-comment-body.js:
   default: 'Test262Error: Expected a SyntaxError to be thrown but no exception was thrown at all'
   strict mode: 'Test262Error: Expected a SyntaxError to be thrown but no exception was thrown at all'
-test/annexB/built-ins/RegExp/prototype/Symbol.split/Symbol.match-getter-recompiles-source.js:
-  default: 'Test262Error: Expected SameValue(«», «a») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«», «a») to be true'
 test/annexB/language/eval-code/direct/func-block-decl-eval-func-skip-early-err-block.js:
   default: 'Test262Error: An initialized binding is not created prior to evaluation Expected a ReferenceError to be thrown but no exception was thrown at all'
 test/annexB/language/eval-code/direct/func-block-decl-eval-func-skip-early-err-for-in.js:

Modified: trunk/Source/_javascript_Core/ChangeLog (258800 => 258801)

--- trunk/Source/_javascript_Core/ChangeLog	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-03-21 00:38:45 UTC (rev 258801)
@@ -1,5 +1,24 @@
 2020-03-20  Ross Kirsling  <ross.kirsl...@sony.com>
 
+        hasObservableSideEffectsForRegExpSplit doesn't check for @@match override
+        https://bugs.webkit.org/show_bug.cgi?id=209363
+
+        Reviewed by Michael Saboff.
+
+        Our RegExp.prototype[@@split] implementation has a fast path for unadultered RegExp objects,
+        but we're using that fast path even when @@match has been overridden.
+
+        This is illegitimate because the RegExp species constructor calls IsRegExp, which hits the @@match getter.
+
+        * builtins/BuiltinNames.h:
+        * builtins/RegExpPrototype.js:
+        (globalPrivate.hasObservableSideEffectsForRegExpSplit):
+        * bytecode/LinkTimeConstant.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+
+2020-03-20  Ross Kirsling  <ross.kirsl...@sony.com>
+
         RegExp.prototype[@@replace] doesn't coerce result index to integer
         https://bugs.webkit.org/show_bug.cgi?id=209323
 

Modified: trunk/Source/_javascript_Core/builtins/BuiltinNames.h (258800 => 258801)

--- trunk/Source/_javascript_Core/builtins/BuiltinNames.h	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/Source/_javascript_Core/builtins/BuiltinNames.h	2020-03-21 00:38:45 UTC (rev 258801)
@@ -148,6 +148,7 @@
     macro(regExpProtoSourceGetter) \
     macro(regExpProtoStickyGetter) \
     macro(regExpProtoUnicodeGetter) \
+    macro(regExpPrototypeSymbolMatch) \
     macro(regExpPrototypeSymbolReplace) \
     macro(regExpSearchFast) \
     macro(regExpSplitFast) \

Modified: trunk/Source/_javascript_Core/builtins/RegExpPrototype.js (258800 => 258801)

--- trunk/Source/_javascript_Core/builtins/RegExpPrototype.js	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/Source/_javascript_Core/builtins/RegExpPrototype.js	2020-03-21 00:38:45 UTC (rev 258801)
@@ -459,10 +459,12 @@
     if (regexpUnicode !== @regExpProtoUnicodeGetter)
         return true;
     
-    // This is accessed by the RegExp species constructor.
+    // These are accessed by the RegExp species constructor.
     var regexpSource = @tryGetById(regexp, "source");
     if (regexpSource !== @regExpProtoSourceGetter)
         return true;
+    if (regexp.@@match !== @regExpPrototypeSymbolMatch)
+        return true;
 
     return typeof regexp.lastIndex !== "number";
 }

Modified: trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h (258800 => 258801)

--- trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/Source/_javascript_Core/bytecode/LinkTimeConstant.h	2020-03-21 00:38:45 UTC (rev 258801)
@@ -86,6 +86,7 @@
     v(regExpMatchFast, nullptr) \
     v(regExpSearchFast, nullptr) \
     v(regExpSplitFast, nullptr) \
+    v(regExpPrototypeSymbolMatch, nullptr) \
     v(regExpPrototypeSymbolReplace, nullptr) \
     v(regExpTestFast, nullptr) \
     v(stringIncludesInternal, nullptr) \

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (258800 => 258801)

--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2020-03-21 00:27:32 UTC (rev 258800)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2020-03-21 00:38:45 UTC (rev 258801)
@@ -986,6 +986,7 @@
     JSFunction* regExpSymbolReplace = jsCast<JSFunction*>(m_regExpPrototype->getDirect(vm, vm.propertyNames->replaceSymbol));
     m_regExpProtoSymbolReplace.set(vm, this, regExpSymbolReplace);
     m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::regExpBuiltinExec)].set(vm, this, jsCast<JSFunction*>(m_regExpPrototype->getDirect(vm, vm.propertyNames->exec)));
+    m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::regExpPrototypeSymbolMatch)].set(vm, this, m_regExpPrototype->getDirect(vm, vm.propertyNames->matchSymbol).asCell());
     m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::regExpPrototypeSymbolReplace)].set(vm, this, m_regExpPrototype->getDirect(vm, vm.propertyNames->replaceSymbol).asCell());
 
     m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::isArray)].set(vm, this, arrayConstructor->getDirect(vm, vm.propertyNames->isArray).asCell());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes