Reviewers: Yang,
Description:
Do not use Array.prototype.push in String.prototype.split.
This is not allowed because push can be monkey-patched.
Please review this at https://codereview.chromium.org/17391016/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files:
M src/string.js
A + test/mjsunit/regress/string-split-monkey-patching.js
Index: src/string.js
diff --git a/src/string.js b/src/string.js
index
a04b23f7dbb0e54e1b9df385d275a27465e2220d..87b6dafb42d7cc1ce0454918daba97b6f2c6dc76
100644
--- a/src/string.js
+++ b/src/string.js
@@ -663,13 +663,13 @@ function StringSplitOnRegExp(subject, separator,
limit, length) {
while (true) {
if (startIndex === length) {
- result.push(%_SubString(subject, currentIndex, length));
+ result[result.length] = %_SubString(subject, currentIndex, length);
break;
}
var matchInfo = DoRegExpExec(separator, subject, startIndex);
if (matchInfo == null || length === (startMatch =
matchInfo[CAPTURE0])) {
- result.push(%_SubString(subject, currentIndex, length));
+ result[result.length] = %_SubString(subject, currentIndex, length);
break;
}
var endIndex = matchInfo[CAPTURE1];
@@ -680,7 +680,7 @@ function StringSplitOnRegExp(subject, separator, limit,
length) {
continue;
}
- result.push(%_SubString(subject, currentIndex, startMatch));
+ result[result.length] = %_SubString(subject, currentIndex, startMatch);
if (result.length === limit) break;
@@ -689,9 +689,9 @@ function StringSplitOnRegExp(subject, separator, limit,
length) {
var start = matchInfo[i++];
var end = matchInfo[i++];
if (end != -1) {
- result.push(%_SubString(subject, start, end));
+ result[result.length] = %_SubString(subject, start, end);
} else {
- result.push(void 0);
+ result[result.length] = void 0;
}
if (result.length === limit) break outer_loop;
}
Index: test/mjsunit/regress/string-split-monkey-patching.js
diff --git a/test/cctest/test-platform.cc
b/test/mjsunit/regress/string-split-monkey-patching.js
similarity index 86%
copy from test/cctest/test-platform.cc
copy to test/mjsunit/regress/string-split-monkey-patching.js
index
6c20b853c5e7408b1877ee74617c01c3fc32ed5f..fe1b040fbfd8f823108014c59c5177a5bbb926e6
100644
--- a/test/cctest/test-platform.cc
+++ b/test/mjsunit/regress/string-split-monkey-patching.js
@@ -25,13 +25,11 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#include <stdlib.h>
+// Test that String.prototype.split with an regexp does not call the
+// monkey-patchable Array.prototy.push.
-#include "cctest.h"
-#include "platform.h"
-
-using namespace ::v8::internal;
-
-TEST(NumberOfCores) {
- CHECK_GT(OS::NumberOfCores(), 0);
-}
+Array.prototype.push = assertUnreachable;
+"-".split(/-/);
+"I-must-not-use-push!".split(/-/);
+"Oh-no!".split(/(-)/);
+"a".split(/(a)|(b)/);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
