http://codereview.chromium.org/1994019/diff/7001/8001 File src/string.js (right):
http://codereview.chromium.org/1994019/diff/7001/8001#newcode406 src/string.js:406: if (start < 0) return; It should be fine. If lastCaptureInfo was created by us (in the RegExp engine), then (start < 0) iff (end < 0). If someone malicious has changed lastCaptureInfo, then we will just get invalid values for SubString, which tests its arguments, and, at most, returns a different substring. http://codereview.chromium.org/1994019/diff/7001/8001#newcode449 src/string.js:449: return subject; It could and probably should. (There used to be a try-finally around it, and I can see I was a little careless when I removed it). http://codereview.chromium.org/1994019/diff/7001/8001#newcode470 src/string.js:470: %_CallFunction(receiver, elem, match_start, subject, replace); I don't think we have a debug assert (Something like %_Assert(expr,str)) would be a logical idea). In this case, we only know it's a function because this function is only called if replace is a function (hence its name "...WithFunction"). http://codereview.chromium.org/1994019/diff/7001/8001#newcode517 src/string.js:517: var s = SubString(subject, index, matchInfo[CAPTURE1]); Good catch. http://codereview.chromium.org/1994019/show -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev
