- Revision
- 238302
- Author
- kocsen_ch...@apple.com
- Date
- 2018-11-16 14:15:23 -0800 (Fri, 16 Nov 2018)
Log Message
Cherry-pick r238267. rdar://problem/46138752
2018-11-15 Mark Lam <mark....@apple.com>
RegExp operations should not take fast patch if lastIndex is not numeric.
https://bugs.webkit.org/show_bug.cgi?id=191731
<rdar://problem/46017305>
Reviewed by Saam Barati.
JSTests:
* stress/regress-191731.js: Added.
Source/_javascript_Core:
This is because if lastIndex is an object with a valueOf() method, it can execute
arbitrary code which may have side effects, and side effects are not permitted by
the RegExp fast paths.
* builtins/RegExpPrototype.js:
(globalPrivate.hasObservableSideEffectsForRegExpMatch):
(overriddenName.string_appeared_here.search):
(globalPrivate.hasObservableSideEffectsForRegExpSplit):
(intrinsic.RegExpTestIntrinsic.test):
* builtins/StringPrototype.js:
(globalPrivate.hasObservableSideEffectsForStringReplace):
Modified Paths
Added Paths
Diff
Modified: branches/safari-606.4.1.2-branch/JSTests/ChangeLog (238301 => 238302)
--- branches/safari-606.4.1.2-branch/JSTests/ChangeLog 2018-11-16 22:11:40 UTC (rev 238301)
+++ branches/safari-606.4.1.2-branch/JSTests/ChangeLog 2018-11-16 22:15:23 UTC (rev 238302)
@@ -1,3 +1,17 @@
+2018-11-15 Mark Lam <mark....@apple.com>
+
+ Cherry-pick r238267. rdar://problem/46032438
+
+ 2018-11-15 Mark Lam <mark....@apple.com>
+
+ RegExp operations should not take fast patch if lastIndex is not numeric.
+ https://bugs.webkit.org/show_bug.cgi?id=191731
+ <rdar://problem/46017305>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-191731.js: Added.
+
2018-10-28 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r237326. rdar://problem/45363533
Added: branches/safari-606.4.1.2-branch/JSTests/stress/regress-191731.js (0 => 238302)
--- branches/safari-606.4.1.2-branch/JSTests/stress/regress-191731.js (rev 0)
+++ branches/safari-606.4.1.2-branch/JSTests/stress/regress-191731.js 2018-11-16 22:15:23 UTC (rev 238302)
@@ -0,0 +1,27 @@
+function assertEq(actual, expected) {
+ if (actual != expected)
+ throw ("Expected: " + expected + ", actual: " + actual);
+}
+
+function foo(arr, regexp, str) {
+ regexp[Symbol.match](str);
+ arr[1] = 3.54484805889626e-310;
+ return arr[0];
+}
+
+let arr = [1.1, 2.2, 3.3];
+let regexp = /a/y;
+
+for (let i = 0; i < 10000; i++)
+ foo(arr, regexp, "abcd");
+
+regexp.lastIndex = {
+ valueOf: () => {
+ arr[0] = arr;
+ return 0;
+ }
+};
+let result = foo(arr, regexp, "abcd");
+
+assertEq(arr[1], "3.54484805889626e-310");
+assertEq(result, ",3.54484805889626e-310,3.3");
Modified: branches/safari-606.4.1.2-branch/Source/_javascript_Core/ChangeLog (238301 => 238302)
--- branches/safari-606.4.1.2-branch/Source/_javascript_Core/ChangeLog 2018-11-16 22:11:40 UTC (rev 238301)
+++ branches/safari-606.4.1.2-branch/Source/_javascript_Core/ChangeLog 2018-11-16 22:15:23 UTC (rev 238302)
@@ -1,3 +1,27 @@
+2018-11-15 Mark Lam <mark....@apple.com>
+
+ Cherry-pick r238267. rdar://problem/46032438
+
+ 2018-11-15 Mark Lam <mark....@apple.com>
+
+ RegExp operations should not take fast patch if lastIndex is not numeric.
+ https://bugs.webkit.org/show_bug.cgi?id=191731
+ <rdar://problem/46017305>
+
+ Reviewed by Saam Barati.
+
+ This is because if lastIndex is an object with a valueOf() method, it can execute
+ arbitrary code which may have side effects, and side effects are not permitted by
+ the RegExp fast paths.
+
+ * builtins/RegExpPrototype.js:
+ (globalPrivate.hasObservableSideEffectsForRegExpMatch):
+ (overriddenName.string_appeared_here.search):
+ (globalPrivate.hasObservableSideEffectsForRegExpSplit):
+ (intrinsic.RegExpTestIntrinsic.test):
+ * builtins/StringPrototype.js:
+ (globalPrivate.hasObservableSideEffectsForStringReplace):
+
2018-10-28 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r237325. rdar://problem/45363533
Modified: branches/safari-606.4.1.2-branch/Source/_javascript_Core/builtins/RegExpPrototype.js (238301 => 238302)
--- branches/safari-606.4.1.2-branch/Source/_javascript_Core/builtins/RegExpPrototype.js 2018-11-16 22:11:40 UTC (rev 238301)
+++ branches/safari-606.4.1.2-branch/Source/_javascript_Core/builtins/RegExpPrototype.js 2018-11-16 22:15:23 UTC (rev 238302)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -67,6 +67,9 @@
{
"use strict";
+ if (!@isRegExpObject(regexp))
+ return true;
+
// This is accessed by the RegExpExec internal function.
let regexpExec = @tryGetById(regexp, "exec");
if (regexpExec !== @regExpBuiltinExec)
@@ -79,7 +82,7 @@
if (regexpUnicode !== @regExpProtoUnicodeGetter)
return true;
- return !@isRegExpObject(regexp);
+ return typeof regexp.lastIndex !== "number";
}
@globalPrivate
@@ -315,7 +318,9 @@
let regexp = this;
// Check for observable side effects and call the fast path if there aren't any.
- if (@isRegExpObject(regexp) && @tryGetById(regexp, "exec") === @regExpBuiltinExec)
+ if (@isRegExpObject(regexp)
+ && @tryGetById(regexp, "exec") === @regExpBuiltinExec
+ && typeof regexp.lastIndex === "number")
return @regExpSearchFast.@call(regexp, strArg);
// 1. Let rx be the this value.
@@ -358,6 +363,9 @@
{
"use strict";
+ if (!@isRegExpObject(regexp))
+ return true;
+
// This is accessed by the RegExpExec internal function.
let regexpExec = @tryGetById(regexp, "exec");
if (regexpExec !== @regExpBuiltinExec)
@@ -389,8 +397,8 @@
let regexpSource = @tryGetById(regexp, "source");
if (regexpSource !== @regExpProtoSourceGetter)
return true;
-
- return !@isRegExpObject(regexp);
+
+ return typeof regexp.lastIndex !== "number";
}
// ES 21.2.5.11 RegExp.prototype[@@split](string, limit)
@@ -536,7 +544,9 @@
let regexp = this;
// Check for observable side effects and call the fast path if there aren't any.
- if (@isRegExpObject(regexp) && @tryGetById(regexp, "exec") === @regExpBuiltinExec)
+ if (@isRegExpObject(regexp)
+ && @tryGetById(regexp, "exec") === @regExpBuiltinExec
+ && typeof regexp.lastIndex === "number")
return @regExpTestFast.@call(regexp, strArg);
// 1. Let R be the this value.
Modified: branches/safari-606.4.1.2-branch/Source/_javascript_Core/builtins/StringPrototype.js (238301 => 238302)
--- branches/safari-606.4.1.2-branch/Source/_javascript_Core/builtins/StringPrototype.js 2018-11-16 22:11:40 UTC (rev 238301)
+++ branches/safari-606.4.1.2-branch/Source/_javascript_Core/builtins/StringPrototype.js 2018-11-16 22:15:23 UTC (rev 238302)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Andy VanWagoner <andy@vanwagoner.family>.
* Copyright (C) 2016 Yusuke Suzuki <utatane....@gmail.com>
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -195,6 +195,9 @@
{
"use strict";
+ if (!@isRegExpObject(regexp))
+ return true;
+
if (replacer !== @regExpPrototypeSymbolReplace)
return true;
@@ -210,7 +213,7 @@
if (regexpUnicode !== @regExpProtoUnicodeGetter)
return true;
- return !@isRegExpObject(regexp);
+ return typeof regexp.lastIndex !== "number";
}
@intrinsic=StringPrototypeReplaceIntrinsic
