Changeset 259029 in webkit

Timestamp:

Mar 25, 2020 7:24:29 PM (4 years ago)

Author:

Alexey Shvayka

Message:

RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength
​https://bugs.webkit.org/show_bug.cgi?id=173867

Reviewed by Ross Kirsling.

JSTests:

• test262/expectations.yaml: Mark 4 test cases as passing.

Source/JavaScriptCore:

This change:

a) Adds "lastIndex" ToLength coercion [1], which is observable, unlike ToLength coercion

of RegExpExec result [2] that we omit, just like the one in @@split [3].

b) Removes lastPosition checks/updates, as there are none in the spec, and it was

equivalent to checking nextSourcePosition.

c) Removes reliance of @@replace on globals and also replaces @stringSubstrInternal

built-in with @stringSubstringInternal, as the former is Annex B and accepts size
as 2nd paramter, which is not very handy because ECMA-262 usually says "substring
of S consisting of the code units at indices X (inclusive) through Y (exclusive)".

[1]: ​https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 11.c.iii.2.a)
[2]: ​https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 14.a)
[3]: ​https://tc39.es/ecma262/#sec-regexp.prototype-@@split (step 19.d.iv.6)

• builtins/BuiltinNames.h:
• builtins/RegExpPrototype.js:

(getSubstitution):
(Symbol.replace):
(Symbol.split):

• builtins/StringPrototype.js:

(globalPrivate.repeatCharactersSlowPath):

• bytecode/LinkTimeConstant.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• runtime/StringPrototype.cpp:

(JSC::stringIndexOfImpl):
(JSC::stringProtoFuncIndexOf):
(JSC::builtinStringIndexOfInternal):
(JSC::stringProtoFuncSubstr):
(JSC::stringSubstringImpl):
(JSC::stringProtoFuncSubstring):
(JSC::builtinStringSubstringInternal):
(JSC::stringProtoFuncSubstrImpl): Deleted.
(JSC::builtinStringSubstrInternal): Deleted.

• runtime/StringPrototype.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/test262/expectations.yaml (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/builtins/BuiltinNames.h (modified) (1 diff)
• Source/JavaScriptCore/builtins/RegExpPrototype.js (modified) (14 diffs)
• Source/JavaScriptCore/builtins/StringPrototype.js (modified) (1 diff)
• Source/JavaScriptCore/bytecode/LinkTimeConstant.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringPrototype.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/StringPrototype.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength
+        https://bugs.webkit.org/show_bug.cgi?id=173867
+
+        Reviewed by Ross Kirsling.
+
+        * test262/expectations.yaml: Mark 4 test cases as passing.
+
 2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/JSTests/test262/expectations.yaml

@@ -1655 +1655 @@
   default: 'Test262Error: Expected SameValue(«�», «null») to be true'
   strict mode: 'Test262Error: Expected SameValue(«�», «null») to be true'
-test/built-ins/RegExp/prototype/Symbol.replace/coerce-lastindex.js:
-  default: 'Test262Error: Expected SameValue(«18014398509481984», «9007199254740992») to be true'
-  strict mode: 'Test262Error: Expected SameValue(«18014398509481984», «9007199254740992») to be true'
-test/built-ins/RegExp/prototype/Symbol.replace/poisoned-stdlib.js:
-  default: 'TypeError: undefined is not a function'
-  strict mode: 'TypeError: undefined is not a function'
 test/built-ins/RegExp/prototype/Symbol.search/set-lastindex-init-samevalue.js:
   default: 'Test262Error: Expected SameValue(«0», «0») to be true'

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        RegExp.prototype[@@replace] relies on globals and doesn't perform ToLength
+        https://bugs.webkit.org/show_bug.cgi?id=173867
+
+        Reviewed by Ross Kirsling.
+
+        This change:
+
+        a) Adds "lastIndex" ToLength coercion [1], which is observable, unlike ToLength coercion
+           of RegExpExec result [2] that we omit, just like the one in @@split [3].
+
+        b) Removes `lastPosition` checks/updates, as there are none in the spec, and it was
+           equivalent to checking `nextSourcePosition`.
+
+        c) Removes reliance of @@replace on globals and also replaces @stringSubstrInternal
+           built-in with @stringSubstringInternal, as the former is Annex B and accepts size
+           as 2nd paramter, which is not very handy because ECMA-262 usually says "substring
+           of S consisting of the code units at indices X (inclusive) through Y (exclusive)".
+
+        [1]: https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 11.c.iii.2.a)
+        [2]: https://tc39.es/ecma262/#sec-regexp.prototype-@@replace (step 14.a)
+        [3]: https://tc39.es/ecma262/#sec-regexp.prototype-@@split (step 19.d.iv.6)
+
+        * builtins/BuiltinNames.h:
+        * builtins/RegExpPrototype.js:
+        (getSubstitution):
+        (Symbol.replace):
+        (Symbol.split):
+        * builtins/StringPrototype.js:
+        (globalPrivate.repeatCharactersSlowPath):
+        * bytecode/LinkTimeConstant.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringIndexOfImpl):
+        (JSC::stringProtoFuncIndexOf):
+        (JSC::builtinStringIndexOfInternal):
+        (JSC::stringProtoFuncSubstr):
+        (JSC::stringSubstringImpl):
+        (JSC::stringProtoFuncSubstring):
+        (JSC::builtinStringSubstringInternal):
+        (JSC::stringProtoFuncSubstrImpl): Deleted.
+        (JSC::builtinStringSubstrInternal): Deleted.
+        * runtime/StringPrototype.h:
+
 2020-03-25  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/JavaScriptCore/builtins/BuiltinNames.h

@@ -160 +160 @@
     macro(regExpStringIteratorDone) \
     macro(stringIncludesInternal) \
+    macro(stringIndexOfInternal) \
     macro(stringSplitFast) \
-    macro(stringSubstrInternal) \
+    macro(stringSubstringInternal) \
     macro(makeBoundFunction) \
     macro(hasOwnLengthProperty) \

trunk/Source/JavaScriptCore/builtins/RegExpPrototype.js

@@ -192 +192 @@
         var lastStart = 0;
 
-        for (var start = 0; start = replacement.indexOf("$", lastStart), start !== -1; lastStart = start) {
+        for (var start = 0; start = @stringIndexOfInternal.@call(replacement, "$", lastStart), start !== -1; lastStart = start) {
             if (start - lastStart > 0)
-                result = result + replacement.substring(lastStart, start);
+                result = result + @stringSubstringInternal.@call(replacement, lastStart, start);
             start++;
-            var ch = replacement.charAt(start);
-            if (ch === "")
+            if (start >= replacementLength)
                 result = result + "$";
             else {
+                var ch = replacement[start];
                 switch (ch)
                 {
@@ -212 +212 @@
                 case "`":
                     if (position > 0)
-                        result = result + str.substring(0, position);
+                        result = result + @stringSubstringInternal.@call(str, 0, position);
                     start++;
                     break;
                 case "'":
                     if (tailPos < stringLength)
-                        result = result + str.substring(tailPos);
+                        result = result + @stringSubstringInternal.@call(str, tailPos);
                     start++;
                     break;
@@ -223 +223 @@
                     if (namedCaptures !== @undefined) {
                         var groupNameStartIndex = start + 1;
-                        var groupNameEndIndex = replacement.indexOf(">", groupNameStartIndex);
+                        var groupNameEndIndex = @stringIndexOfInternal.@call(replacement, ">", groupNameStartIndex);
                         if (groupNameEndIndex !== -1) {
-                            var groupName = replacement.substring(groupNameStartIndex, groupNameEndIndex);
+                            var groupName = @stringSubstringInternal.@call(replacement, groupNameStartIndex, groupNameEndIndex);
                             var capture = namedCaptures[groupName];
                             if (capture !== @undefined)
@@ -239 +239 @@
                     break;
                 default:
-                    var chCode = ch.charCodeAt(0);
+                    var chCode = ch.@charCodeAt(0);
                     if (chCode >= 0x30 && chCode <= 0x39) {
                         var originalStart = start - 1;
@@ -246 +246 @@
                         var n = chCode - 0x30;
                         if (n > m) {
-                            result = result + replacement.substring(originalStart, start);
+                            result = result + @stringSubstringInternal.@call(replacement, originalStart, start);
                             break;
                         }
 
                         if (start < replacementLength) {
-                            var nextChCode = replacement.charCodeAt(start);
+                            var nextChCode = replacement.@charCodeAt(start);
                             if (nextChCode >= 0x30 && nextChCode <= 0x39) {
                                 var nn = 10 * n + nextChCode - 0x30;
@@ -262 +262 @@
 
                         if (n == 0) {
-                            result = result + replacement.substring(originalStart, start);
+                            result = result + @stringSubstringInternal.@call(replacement, originalStart, start);
                             break;
                         }
@@ -276 +276 @@
         }
 
-        return result + replacement.substring(lastStart);
+        return result + @stringSubstringInternal.@call(replacement, lastStart);
     }
 
@@ -314 +314 @@
                 var matchStr = @toString(result[0]);
 
-                if (!matchStr.length)
-                    regexp.lastIndex = @advanceStringIndex(str, regexp.lastIndex, unicode);
+                if (!matchStr.length) {
+                    var thisIndex = @toLength(regexp.lastIndex);
+                    regexp.lastIndex = @advanceStringIndex(str, thisIndex, unicode);
+                }
             }
         }
@@ -322 +324 @@
     var accumulatedResult = "";
     var nextSourcePosition = 0;
-    var lastPosition = 0;
 
     for (var i = 0, resultListLength = resultList.length; i < resultListLength; ++i) {
@@ -347 +348 @@
 
         if (functionalReplace) {
-            var replacerArgs = [ matched ].concat(captures);
+            var replacerArgs = [ matched ];
+            for (var j = 0; j < captures.length; j++)
+                replacerArgs.@push(captures[j]);
+
             replacerArgs.@push(position);
             replacerArgs.@push(str);
@@ -363 +367 @@
         }
 
-        if (position >= nextSourcePosition && position >= lastPosition) {
-            accumulatedResult = accumulatedResult + str.substring(nextSourcePosition, position) + replacement;
+        if (position >= nextSourcePosition) {
+            accumulatedResult = accumulatedResult + @stringSubstringInternal.@call(str, nextSourcePosition, position) + replacement;
             nextSourcePosition = position + matchLength;
-            lastPosition = position;
         }
     }
@@ -373 +376 @@
         return  accumulatedResult;
 
-    return accumulatedResult + str.substring(nextSourcePosition);
+    return accumulatedResult + @stringSubstringInternal.@call(str, nextSourcePosition);
 }
 
@@ -563 +566 @@
             else {
                 // 1. Let T be a String value equal to the substring of S consisting of the elements at indices p (inclusive) through q (exclusive).
-                var subStr = @stringSubstrInternal.@call(str, position, matchPosition - position);
+                var subStr = @stringSubstringInternal.@call(str, position, matchPosition);
                 // 2. Perform ! CreateDataProperty(A, ! ToString(lengthA), T).
                 // 3. Let lengthA be lengthA + 1.
@@ -598 +601 @@
     }
     // 20. Let T be a String value equal to the substring of S consisting of the elements at indices p (inclusive) through size (exclusive).
-    var remainingStr = @stringSubstrInternal.@call(str, position, size);
+    var remainingStr = @stringSubstringInternal.@call(str, position, size);
     // 21. Perform ! CreateDataProperty(A, ! ToString(lengthA), T).
     @putByValDirect(result, result.length, remainingStr);

trunk/Source/JavaScriptCore/builtins/StringPrototype.js

@@ -114 +114 @@
     }
     if (remainingCharacters)
-        result += @stringSubstrInternal.@call(string, 0, remainingCharacters);
+        result += @stringSubstringInternal.@call(string, 0, remainingCharacters);
     return result;
 }

trunk/Source/JavaScriptCore/bytecode/LinkTimeConstant.h

@@ -91 +91 @@
     v(regExpTestFast, nullptr) \
     v(stringIncludesInternal, nullptr) \
+    v(stringIndexOfInternal, nullptr) \
     v(stringSplitFast, nullptr) \
-    v(stringSubstrInternal, nullptr) \
+    v(stringSubstringInternal, nullptr) \
     v(makeBoundFunction, nullptr) \
     v(hasOwnLengthProperty, nullptr) \

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -1143 +1143 @@
             init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 1, String(), builtinStringIncludesInternal));
         });
+    m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::stringIndexOfInternal)].initLater([] (const Initializer<JSCell>& init) {
+            init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 1, String(), builtinStringIndexOfInternal));
+        });
     m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::stringSplitFast)].initLater([] (const Initializer<JSCell>& init) {
             init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 2, String(), stringProtoFuncSplitFast));
         });
-    m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::stringSubstrInternal)].initLater([] (const Initializer<JSCell>& init) {
-            init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 2, String(), builtinStringSubstrInternal));
+    m_linkTimeConstants[static_cast<unsigned>(LinkTimeConstant::stringSubstringInternal)].initLater([] (const Initializer<JSCell>& init) {
+            init.set(JSFunction::create(init.vm, jsCast<JSGlobalObject*>(init.owner), 2, String(), builtinStringSubstringInternal));
         });
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -1077 +1077 @@
 }
 
-EncodedJSValue JSC_HOST_CALL stringProtoFuncIndexOf(JSGlobalObject* globalObject, CallFrame* callFrame)
+static EncodedJSValue stringIndexOfImpl(JSGlobalObject* globalObject, CallFrame* callFrame)
 {
     VM& vm = globalObject->vm();
@@ -1122 +1122 @@
         return JSValue::encode(jsNumber(-1));
     return JSValue::encode(jsNumber(result));
+}
+
+EncodedJSValue JSC_HOST_CALL stringProtoFuncIndexOf(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    return stringIndexOfImpl(globalObject, callFrame);
+}
+
+EncodedJSValue JSC_HOST_CALL builtinStringIndexOfInternal(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    ASSERT(callFrame->thisValue().isString());
+    ASSERT(callFrame->argument(0).isString());
+    ASSERT(callFrame->argument(1).isNumber() || callFrame->argument(1).isUndefined());
+    return stringIndexOfImpl(globalObject, callFrame);
 }
 
@@ -1366 +1379 @@
 }
 
-static EncodedJSValue stringProtoFuncSubstrImpl(JSGlobalObject* globalObject, CallFrame* callFrame)
+EncodedJSValue JSC_HOST_CALL stringProtoFuncSubstr(JSGlobalObject* globalObject, CallFrame* callFrame)
 {
     VM& vm = globalObject->vm();
@@ -1410 +1423 @@
 }
 
-EncodedJSValue JSC_HOST_CALL stringProtoFuncSubstr(JSGlobalObject* globalObject, CallFrame* callFrame)
-{
-    return stringProtoFuncSubstrImpl(globalObject, callFrame);
-}
-
-EncodedJSValue JSC_HOST_CALL builtinStringSubstrInternal(JSGlobalObject* globalObject, CallFrame* callFrame)
-{
-    // @substrInternal should not have any observable side effects (e.g. it should not call
-    // GetMethod(..., @@toPrimitive) on the thisValue).
-
-    // It is ok to use the default stringProtoFuncSubstr as the implementation of
-    // @substrInternal because @substrInternal will only be called by builtins, which will
-    // guarantee that we only pass it a string thisValue. As a result, stringProtoFuncSubstr
-    // will not need to call toString() on the thisValue, and there will be no observable
-    // side-effects.
-    ASSERT(callFrame->thisValue().isString());
-    return stringProtoFuncSubstrImpl(globalObject, callFrame);
-}
-
-EncodedJSValue JSC_HOST_CALL stringProtoFuncSubstring(JSGlobalObject* globalObject, CallFrame* callFrame)
+static EncodedJSValue stringSubstringImpl(JSGlobalObject* globalObject, CallFrame* callFrame)
 {
     VM& vm = globalObject->vm();
@@ -1471 +1465 @@
     unsigned substringLength = static_cast<unsigned>(end) - substringStart;
     RELEASE_AND_RETURN(scope, JSValue::encode(jsSubstring(globalObject, jsString, substringStart, substringLength)));
+}
+
+EncodedJSValue JSC_HOST_CALL stringProtoFuncSubstring(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    return stringSubstringImpl(globalObject, callFrame);
+}
+
+EncodedJSValue JSC_HOST_CALL builtinStringSubstringInternal(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    ASSERT(callFrame->thisValue().isString());
+    ASSERT(callFrame->argument(0).isNumber());
+    ASSERT(callFrame->argument(1).isNumber() || callFrame->argument(1).isUndefined());
+    return stringSubstringImpl(globalObject, callFrame);   
 }
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.h

@@ -61 +61 @@
 EncodedJSValue JSC_HOST_CALL stringProtoFuncSplitFast(JSGlobalObject*, CallFrame*);
 
-EncodedJSValue JSC_HOST_CALL builtinStringSubstrInternal(JSGlobalObject*, CallFrame*);
+EncodedJSValue JSC_HOST_CALL builtinStringSubstringInternal(JSGlobalObject*, CallFrame*);
 EncodedJSValue JSC_HOST_CALL builtinStringIncludesInternal(JSGlobalObject*, CallFrame*);
+EncodedJSValue JSC_HOST_CALL builtinStringIndexOfInternal(JSGlobalObject*, CallFrame*);
 
 } // namespace JSC