[webkit-changes] [154612] trunk

[barraclough]

Title: [154612] trunk

Revision

154612

Author

barraclo...@apple.com

Date

2013-08-26 10:43:09 -0700 (Mon, 26 Aug 2013)

Log Message

RegExpMatchesArray should not call [[put]]
https://bugs.webkit.org/show_bug.cgi?id=120317

Reviewed by Oliver Hunt.

This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
property called index or input to either of these prototypes will result in broken behavior.

Source/_javascript_Core: 

* runtime/RegExpMatchesArray.cpp:
(JSC::RegExpMatchesArray::reifyAllProperties):
    - put -> putDirect

LayoutTests: 

* fast/regex/lastIndex-expected.txt:
* fast/regex/script-tests/lastIndex.js:
    - Added test

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/regex/lastIndex-expected.txt
• trunk/LayoutTests/fast/regex/script-tests/lastIndex.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (154611 => 154612)

--- trunk/LayoutTests/ChangeLog	2013-08-26 17:33:45 UTC (rev 154611)
+++ trunk/LayoutTests/ChangeLog	2013-08-26 17:43:09 UTC (rev 154612)
@@ -1,3 +1,17 @@
+2013-08-26  Gavin Barraclough  <barraclo...@apple.com>
+
+        RegExpMatchesArray should not call [[put]]
+        https://bugs.webkit.org/show_bug.cgi?id=120317
+
+        Reviewed by Oliver Hunt.
+
+        This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
+        property called index or input to either of these prototypes will result in broken behavior.
+
+        * fast/regex/lastIndex-expected.txt:
+        * fast/regex/script-tests/lastIndex.js:
+            - Added test
+
 2013-08-26  Gyuyoung Kim  <gyuyoung....@samsung.com>
 
         Unreviewed, EFL gardening. EFL WK1 DRT doesn't support exif-orientation tests

Modified: trunk/LayoutTests/fast/regex/lastIndex-expected.txt (154611 => 154612)

--- trunk/LayoutTests/fast/regex/lastIndex-expected.txt	2013-08-26 17:33:45 UTC (rev 154611)
+++ trunk/LayoutTests/fast/regex/lastIndex-expected.txt	2013-08-26 17:43:09 UTC (rev 154612)
@@ -24,6 +24,8 @@
 PASS Object.defineProperty(/x/g, 'lastIndex', {writable:false}).exec('') threw exception TypeError: Attempted to assign to readonly property..
 PASS Object.defineProperty(/x/g, 'lastIndex', {writable:false}).exec('x') threw exception TypeError: Attempted to assign to readonly property..
 PASS var re = /x/; Object.freeze(re); Object.isFrozen(re); is true
+PASS /x/.exec("x").input is "x"
+PASS /x/.exec("x").input is "x"
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/regex/script-tests/lastIndex.js (154611 => 154612)

--- trunk/LayoutTests/fast/regex/script-tests/lastIndex.js	2013-08-26 17:33:45 UTC (rev 154611)
+++ trunk/LayoutTests/fast/regex/script-tests/lastIndex.js	2013-08-26 17:43:09 UTC (rev 154612)
@@ -46,3 +46,8 @@
 
 // Should be able to freeze a regular _expression_ object.
 shouldBeTrue("var re = /x/; Object.freeze(re); Object.isFrozen(re);");
+
+// Presence of setter on prototype chain should not affect RegexpMatchesArray
+shouldBe('/x/.exec("x").input', '"x"');
+Object.defineProperty(Object.prototype, "input", { set: function(){} });
+shouldBe('/x/.exec("x").input', '"x"');

Modified: trunk/Source/_javascript_Core/ChangeLog (154611 => 154612)

--- trunk/Source/_javascript_Core/ChangeLog	2013-08-26 17:33:45 UTC (rev 154611)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-26 17:43:09 UTC (rev 154612)
@@ -1,3 +1,17 @@
+2013-08-26  Gavin Barraclough  <barraclo...@apple.com>
+
+        RegExpMatchesArray should not call [[put]]
+        https://bugs.webkit.org/show_bug.cgi?id=120317
+
+        Reviewed by Oliver Hunt.
+
+        This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
+        property called index or input to either of these prototypes will result in broken behavior.
+
+        * runtime/RegExpMatchesArray.cpp:
+        (JSC::RegExpMatchesArray::reifyAllProperties):
+            - put -> putDirect
+
 2013-08-24  Filip Pizlo  <fpi...@apple.com>
 
         FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions

Modified: trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp (154611 => 154612)

--- trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp	2013-08-26 17:33:45 UTC (rev 154611)
+++ trunk/Source/_javascript_Core/runtime/RegExpMatchesArray.cpp	2013-08-26 17:43:09 UTC (rev 154612)
@@ -92,9 +92,8 @@
         }
     }
 
-    PutPropertySlot slot;
-    JSArray::put(this, exec, exec->propertyNames().index, jsNumber(m_result.start), slot);
-    JSArray::put(this, exec, exec->propertyNames().input, m_input.get(), slot);
+    putDirect(exec->vm(), exec->propertyNames().index, jsNumber(m_result.start));
+    putDirect(exec->vm(), exec->propertyNames().input, m_input.get());
 
     m_state = ReifiedAll;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes