Reviewers: ulan,
Description:
Ensure capacity when adding parts in String.replace.
[email protected]
BUG=v8:2289
TEST=regress-2289.js
Please review this at https://chromiumcodereview.appspot.com/10830304/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/runtime.cc
A + test/mjsunit/regress/regress-2289.js
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
146607def5edb2814ca921b4149269b49bf7f89f..d4d18c41679fc1d1b670b9298a01df2219b9c1ce
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -3128,6 +3128,7 @@ MUST_USE_RESULT static MaybeObject*
StringReplaceRegExpWithString(
if (global_cache.HasException()) return Failure::Exception();
if (prev < subject_length) {
+ builder.EnsureCapacity(2);
builder.AddSubjectSlice(prev, subject_length);
}
Index: test/mjsunit/regress/regress-2289.js
diff --git a/test/mjsunit/regress/regress-113924.js
b/test/mjsunit/regress/regress-2289.js
similarity index 93%
copy from test/mjsunit/regress/regress-113924.js
copy to test/mjsunit/regress/regress-2289.js
index
3ecdec48f219b9ea545702ebf3a396debe7a93f8..e89ec6e1430751d8abd8ef9a50f133bc892d80cd
100644
--- a/test/mjsunit/regress/regress-113924.js
+++ b/test/mjsunit/regress/regress-2289.js
@@ -25,7 +25,10 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-var count=12000;
-while(count--) {
- eval("var a = new Object(10); a[2] += 7;");
-}
+var foo = "a";
+for (var i = 0; i < 12; i++) foo += foo;
+foo = foo + 'b' + foo;
+
+foo.replace(/b/, "a");
+
+
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
