- Revision
- 238981
- Author
- [email protected]
- Date
- 2018-12-07 16:25:15 -0800 (Fri, 07 Dec 2018)
Log Message
Merge r238270 - RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
https://bugs.webkit.org/show_bug.cgi?id=191730
<rdar://problem/46048517>
Reviewed by Saam Barati.
JSTests:
* stress/regress-187006.js: Removed.
- this test is invalid because its sole purpose is to test for the non-spec
compliant behavior that we just fixed.
* stress/regress-191730.js: Added.
Source/_javascript_Core:
According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
the RegExp match results are filled in using the spec's CreateDataProperty()
function which does not consult the prototype for setters. JSArray:push()
consults the prototype for setters. We should be using putDirectIndex() instead.
* runtime/RegExpObjectInlines.h:
(JSC::collectMatches):
Modified Paths
Added Paths
Removed Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (238980 => 238981)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-12-08 00:25:12 UTC (rev 238980)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-12-08 00:25:15 UTC (rev 238981)
@@ -1,5 +1,19 @@
2018-11-15 Mark Lam <[email protected]>
+ RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
+ https://bugs.webkit.org/show_bug.cgi?id=191730
+ <rdar://problem/46048517>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-187006.js: Removed.
+ - this test is invalid because its sole purpose is to test for the non-spec
+ compliant behavior that we just fixed.
+
+ * stress/regress-191730.js: Added.
+
+2018-11-15 Mark Lam <[email protected]>
+
RegExp operations should not take fast patch if lastIndex is not numeric.
https://bugs.webkit.org/show_bug.cgi?id=191731
<rdar://problem/46017305>
Deleted: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-187006.js (238980 => 238981)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-187006.js 2018-12-08 00:25:12 UTC (rev 238980)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-187006.js 2018-12-08 00:25:15 UTC (rev 238981)
@@ -1,16 +0,0 @@
-Object.defineProperty(Array.prototype, '0', {
- get() { },
- set() { throw new Error(); }
-});
-
-var __v_7772 = "GGCCGGGTAAAGTGGCTCACGCCTGTAATCCCAGCACTTTACCCCCCGAGGCGGGCGGA";
-var exception;
-
-try {
- __v_7772.match(/[cgt]gggtaaa|tttaccc[acg]/ig);
-} catch (e) {
- exception = e;
-}
-
-if (exception != "Error")
- throw "FAILED";
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-191730.js (0 => 238981)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-191730.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-191730.js 2018-12-08 00:25:15 UTC (rev 238981)
@@ -0,0 +1,25 @@
+function assertEq(actual, expected) {
+ if (actual != expected)
+ throw ("Expected: " + expected + ", actual: " + actual);
+}
+
+var otherGlobal = $vm.createGlobalObject();
+
+Array.prototype.__defineSetter__(7, () => {
+ arr[0] = { };
+});
+
+let arr = new otherGlobal.Array(1.1, 2.2, 3.3);
+
+function foo(arr, regexp, str){
+ var result = regexp[Symbol.match](str);
+ arr[1] = 3.54484805889626e-310;
+ return arr[0];
+}
+
+let regexp = /a/g;
+for (let i = 0; i < 10000; i++)
+ foo(arr, regexp, "aaaa");
+
+let r = foo(arr, regexp, "aaaaaaaa");
+assertEq(arr[1], "3.54484805889626e-310");
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (238980 => 238981)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-08 00:25:12 UTC (rev 238980)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-12-08 00:25:15 UTC (rev 238981)
@@ -1,5 +1,21 @@
2018-11-15 Mark Lam <[email protected]>
+ RegExpObject's collectMatches should not be using JSArray::push to fill in its match results.
+ https://bugs.webkit.org/show_bug.cgi?id=191730
+ <rdar://problem/46048517>
+
+ Reviewed by Saam Barati.
+
+ According to the spec https://www.ecma-international.org/ecma-262/9.0/index.html#sec-regexp.prototype-@@match,
+ the RegExp match results are filled in using the spec's CreateDataProperty()
+ function which does not consult the prototype for setters. JSArray:push()
+ consults the prototype for setters. We should be using putDirectIndex() instead.
+
+ * runtime/RegExpObjectInlines.h:
+ (JSC::collectMatches):
+
+2018-11-15 Mark Lam <[email protected]>
+
RegExp operations should not take fast patch if lastIndex is not numeric.
https://bugs.webkit.org/show_bug.cgi?id=191731
<rdar://problem/46017305>
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/RegExpObjectInlines.h (238980 => 238981)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/RegExpObjectInlines.h 2018-12-08 00:25:12 UTC (rev 238980)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/RegExpObjectInlines.h 2018-12-08 00:25:15 UTC (rev 238981)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten ([email protected])
- * Copyright (C) 2003, 2007, 2008, 2012, 2016 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2003-2018 Apple Inc. All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -155,10 +155,11 @@
RETURN_IF_EXCEPTION(scope, { });
bool hasException = false;
+ unsigned arrayIndex = 0;
auto iterate = [&] () {
size_t end = result.end;
size_t length = end - result.start;
- array->push(exec, JSRopeString::createSubstringOfResolved(vm, string, result.start, length));
+ array->putDirectIndex(exec, arrayIndex++, JSRopeString::createSubstringOfResolved(vm, string, result.start, length));
if (UNLIKELY(scope.exception())) {
hasException = true;
return;
