[webkit-changes] [WebKit/WebKit] b4b158: [JSC] `String#split` RegExp fast path misses side ...

Mon, 08 Jun 2026 19:12:09 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b4b15818d650a5949ea4da79172341b163636f41
      
https://github.com/WebKit/WebKit/commit/b4b15818d650a5949ea4da79172341b163636f41
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-08 (Mon, 08 Jun 2026)

  Changed paths:
    A JSTests/stress/string-split-regexp-fast-path-limit-side-effects.js
    A JSTests/stress/string-split-regexp-fast-path-tostring-side-effects.js
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/runtime/StringPrototype.cpp

  Log Message:
  -----------
  [JSC] `String#split` RegExp fast path misses side effects from 
`ToString(this)` and `ToUint32(limit)`
https://bugs.webkit.org/show_bug.cgi?id=316508

Reviewed by Yusuke Suzuki.

stringProtoFuncSplit ran ToString(this) and ToUint32(limit) after checking
isSymbolSplitFastAndNonObservable(). Both conversions can run arbitrary JS that
invalidates the checked conditions (e.g. overriding RegExp.prototype.exec or
installing an own .constructor on the separator), which RegExpSplit observes
after those conversions. operationStringSplitRegExp had the same problem for
ToUint32(limit).

Only take the fast path when both conversions are non-observable: `this` is a
string primitive and limit is a number or undefined. Otherwise fall through to
the generic @@split call, as the old JS-builtin implementation did
(isLimitNumberOrUndefined, bmo#1287525).

    let execCalled = false;
    let evil = { valueOf() { RegExp.prototype.exec = () => { execCalled = true; 
return null; }; return 4; } };
    "a,b,c".split(/,/, evil);
    // Before: ["a","b","c"], execCalled === false
    // After (spec, V8): ["a,b,c"], execCalled === true

Tests: JSTests/stress/string-split-regexp-fast-path-limit-side-effects.js
       JSTests/stress/string-split-regexp-fast-path-tostring-side-effects.js

* JSTests/stress/string-split-regexp-fast-path-limit-side-effects.js: Added.
(shouldBe):
(let.evil.valueOf.RegExp.prototype.exec):
(let.evil.valueOf):
* JSTests/stress/string-split-regexp-fast-path-tostring-side-effects.js: Added.
(shouldBe):
(throw.new.Error.MyRegExp):
(throw.new.Error):
(shouldBe.let.obj.toString.RegExp.prototype.exec):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/314772@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to