Diff
Modified: branches/safari-606.4.1.2-branch/JSTests/ChangeLog (238302 => 238303)
--- branches/safari-606.4.1.2-branch/JSTests/ChangeLog 2018-11-16 22:15:23 UTC (rev 238302)
+++ branches/safari-606.4.1.2-branch/JSTests/ChangeLog 2018-11-16 22:15:27 UTC (rev 238303)
@@ -1,5 +1,23 @@
2018-11-15 Mark Lam <[email protected]>
+ Cherry-pick r238270. rdar://problem/46085279
+
+ 2018-11-15 Mark Lam <[email protected]>
+
+ RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
+ https://bugs.webkit.org/show_bug.cgi?id=191730
+ <rdar://problem/46048517>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-187006.js: Removed.
+ - this test is invalid because its sole purpose is to test for the non-spec
+ compliant behavior that we just fixed.
+
+ * stress/regress-191730.js: Added.
+
+2018-11-15 Mark Lam <[email protected]>
+
Cherry-pick r238267. rdar://problem/46032438
2018-11-15 Mark Lam <[email protected]>
Deleted: branches/safari-606.4.1.2-branch/JSTests/stress/regress-187006.js (238302 => 238303)
--- branches/safari-606.4.1.2-branch/JSTests/stress/regress-187006.js 2018-11-16 22:15:23 UTC (rev 238302)
+++ branches/safari-606.4.1.2-branch/JSTests/stress/regress-187006.js 2018-11-16 22:15:27 UTC (rev 238303)
@@ -1,16 +0,0 @@
-Object.defineProperty(Array.prototype, '0', {
- get() { },
- set() { throw new Error(); }
-});
-
-var __v_7772 = "GGCCGGGTAAAGTGGCTCACGCCTGTAATCCCAGCACTTTACCCCCCGAGGCGGGCGGA";
-var exception;
-
-try {
- __v_7772.match(/[cgt]gggtaaa|tttaccc[acg]/ig);
-} catch (e) {
- exception = e;
-}
-
-if (exception != "Error")
- throw "FAILED";
Added: branches/safari-606.4.1.2-branch/JSTests/stress/regress-191730.js (0 => 238303)
--- branches/safari-606.4.1.2-branch/JSTests/stress/regress-191730.js (rev 0)
+++ branches/safari-606.4.1.2-branch/JSTests/stress/regress-191730.js 2018-11-16 22:15:27 UTC (rev 238303)
@@ -0,0 +1,25 @@
+function assertEq(actual, expected) {
+ if (actual != expected)
+ throw ("Expected: " + expected + ", actual: " + actual);
+}
+
+var otherGlobal = $vm.createGlobalObject();
+
+Array.prototype.__defineSetter__(7, () => {
+ arr[0] = { };
+});
+
+let arr = new otherGlobal.Array(1.1, 2.2, 3.3);
+
+function foo(arr, regexp, str){
+ var result = regexp[Symbol.match](str);
+ arr[1] = 3.54484805889626e-310;
+ return arr[0];
+}
+
+let regexp = /a/g;
+for (let i = 0; i < 10000; i++)
+ foo(arr, regexp, "aaaa");
+
+let r = foo(arr, regexp, "aaaaaaaa");
+assertEq(arr[1], "3.54484805889626e-310");
Modified: branches/safari-606.4.1.2-branch/Source/_javascript_Core/ChangeLog (238302 => 238303)
--- branches/safari-606.4.1.2-branch/Source/_javascript_Core/ChangeLog 2018-11-16 22:15:23 UTC (rev 238302)
+++ branches/safari-606.4.1.2-branch/Source/_javascript_Core/ChangeLog 2018-11-16 22:15:27 UTC (rev 238303)
@@ -1,5 +1,25 @@
2018-11-15 Mark Lam <[email protected]>
+ Cherry-pick r238270. rdar://problem/46085279
+
+ 2018-11-15 Mark Lam <[email protected]>
+
+ RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
+ https://bugs.webkit.org/show_bug.cgi?id=191730
+ <rdar://problem/46048517>
+
+ Reviewed by Saam Barati.
+
+ According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
+ the RegExp match results are filled in using the spec's CreateDataProperty()
+ function which does not consult the prototype for setters. JSArray:push()
+ consults the prototype for setters. We should be using putDirectIndex() instead.
+
+ * runtime/RegExpObjectInlines.h:
+ (JSC::collectMatches):
+
+2018-11-15 Mark Lam <[email protected]>
+
Cherry-pick r238267. rdar://problem/46032438
2018-11-15 Mark Lam <[email protected]>
Modified: branches/safari-606.4.1.2-branch/Source/_javascript_Core/runtime/RegExpObjectInlines.h (238302 => 238303)
--- branches/safari-606.4.1.2-branch/Source/_javascript_Core/runtime/RegExpObjectInlines.h 2018-11-16 22:15:23 UTC (rev 238302)
+++ branches/safari-606.4.1.2-branch/Source/_javascript_Core/runtime/RegExpObjectInlines.h 2018-11-16 22:15:27 UTC (rev 238303)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten ([email protected])
- * Copyright (C) 2003, 2007, 2008, 2012, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2003-2018 Apple Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -155,10 +155,11 @@
RETURN_IF_EXCEPTION(scope, { });
bool hasException = false;
+ unsigned arrayIndex = 0;
auto iterate = [&] () {
size_t end = result.end;
size_t length = end - result.start;
- array->push(exec, JSRopeString::createSubstringOfResolved(vm, string, result.start, length));
+ array->putDirectIndex(exec, arrayIndex++, JSRopeString::createSubstringOfResolved(vm, string, result.start, length));
if (UNLIKELY(scope.exception())) {
hasException = true;
return;
