Changeset 238267 in webkit


Ignore:
Timestamp:
Nov 15, 2018 9:12:25 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

RegExp operations should not take fast patch if lastIndex is not numeric.
https://bugs.webkit.org/show_bug.cgi?id=191731
<rdar://problem/46017305>

Reviewed by Saam Barati.

JSTests:

  • stress/regress-191731.js: Added.

Source/JavaScriptCore:

This is because if lastIndex is an object with a valueOf() method, it can execute
arbitrary code which may have side effects, and side effects are not permitted by
the RegExp fast paths.

  • builtins/RegExpPrototype.js:

(globalPrivate.hasObservableSideEffectsForRegExpMatch):
(overriddenName.string_appeared_here.search):
(globalPrivate.hasObservableSideEffectsForRegExpSplit):
(intrinsic.RegExpTestIntrinsic.test):

  • builtins/StringPrototype.js:

(globalPrivate.hasObservableSideEffectsForStringReplace):

Location:
trunk
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r238162 r238267  
     12018-11-15  Mark Lam  <mark.lam@apple.com>
     2
     3        RegExp operations should not take fast patch if lastIndex is not numeric.
     4        https://bugs.webkit.org/show_bug.cgi?id=191731
     5        <rdar://problem/46017305>
     6
     7        Reviewed by Saam Barati.
     8
     9        * stress/regress-191731.js: Added.
     10
    1112018-11-13  Saam Barati  <sbarati@apple.com>
    212

  • trunk/Source/JavaScriptCore/ChangeLog

    r238231 r238267  
     12018-11-15  Mark Lam  <mark.lam@apple.com>
     2
     3        RegExp operations should not take fast patch if lastIndex is not numeric.
     4        https://bugs.webkit.org/show_bug.cgi?id=191731
     5        <rdar://problem/46017305>
     6
     7        Reviewed by Saam Barati.
     8
     9        This is because if lastIndex is an object with a valueOf() method, it can execute
     10        arbitrary code which may have side effects, and side effects are not permitted by
     11        the RegExp fast paths.
     12
     13        * builtins/RegExpPrototype.js:
     14        (globalPrivate.hasObservableSideEffectsForRegExpMatch):
     15        (overriddenName.string_appeared_here.search):
     16        (globalPrivate.hasObservableSideEffectsForRegExpSplit):
     17        (intrinsic.RegExpTestIntrinsic.test):
     18        * builtins/StringPrototype.js:
     19        (globalPrivate.hasObservableSideEffectsForStringReplace):
     20
    1212018-11-15  Keith Rollin  <krollin@apple.com>
    222

  • trunk/Source/JavaScriptCore/builtins/RegExpPrototype.js

    r233377 r238267  
    11/*
    2  * Copyright (C) 2016 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6868    "use strict";
    6969
     70    if (!@isRegExpObject(regexp))
     71        return true;
     72
    7073    // This is accessed by the RegExpExec internal function.
    7174    let regexpExec = @tryGetById(regexp, "exec");
     
    8083        return true;
    8184
    82     return !@isRegExpObject(regexp);
     85    return typeof regexp.lastIndex !== "number";
    8386}
    8487
     
    316319
    317320    // Check for observable side effects and call the fast path if there aren't any.
    318     if (@isRegExpObject(regexp) && @tryGetById(regexp, "exec") === @regExpBuiltinExec)
     321    if (@isRegExpObject(regexp)
     322        && @tryGetById(regexp, "exec") === @regExpBuiltinExec
     323        && typeof regexp.lastIndex === "number")
    319324        return @regExpSearchFast.@call(regexp, strArg);
    320325
     
    359364    "use strict";
    360365
     366    if (!@isRegExpObject(regexp))
     367        return true;
     368
    361369    // This is accessed by the RegExpExec internal function.
    362370    let regexpExec = @tryGetById(regexp, "exec");
     
    390398    if (regexpSource !== @regExpProtoSourceGetter)
    391399        return true;
    392    
    393     return !@isRegExpObject(regexp);
     400
     401    return typeof regexp.lastIndex !== "number";
    394402}
    395403
     
    537545
    538546    // Check for observable side effects and call the fast path if there aren't any.
    539     if (@isRegExpObject(regexp) && @tryGetById(regexp, "exec") === @regExpBuiltinExec)
     547    if (@isRegExpObject(regexp)
     548        && @tryGetById(regexp, "exec") === @regExpBuiltinExec
     549        && typeof regexp.lastIndex === "number")
    540550        return @regExpTestFast.@call(regexp, strArg);
    541551

  • trunk/Source/JavaScriptCore/builtins/StringPrototype.js

    r233377 r238267  
    22 * Copyright (C) 2015 Andy VanWagoner <andy@vanwagoner.family>.
    33 * Copyright (C) 2016 Yusuke Suzuki <utatane.tea@gmail.com>
    4  * Copyright (C) 2016 Apple Inc. All rights reserved.
     4 * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
    55 *
    66 * Redistribution and use in source and binary forms, with or without
     
    196196    "use strict";
    197197
     198    if (!@isRegExpObject(regexp))
     199        return true;
     200
    198201    if (replacer !== @regExpPrototypeSymbolReplace)
    199202        return true;
     
    211214        return true;
    212215
    213     return !@isRegExpObject(regexp);
     216    return typeof regexp.lastIndex !== "number";
    214217}
    215218
Note: See TracChangeset for help on using the changeset viewer.