Closed
Bug 1287525
Opened 8 years ago
Closed 8 years ago
Missing property check before applying optimized RegExp.prototype[Symbol.split] code paths
Categories
(Core :: JavaScript: Standard Library, defect)
Core
JavaScript: Standard Library
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | unaffected |
| firefox49 | --- | affected |
| firefox-esr45 | --- | unaffected |
| firefox50 | --- | fixed |
People
(Reporter: anba, Assigned: arai)
References
Details
Attachments
(2 files)
|
1.68 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
|
1.71 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
Calling IsRegExp in step 1 of https://tc39.github.io/ecma262/#sec-regexp-pattern-flags could trigger side-effects. Test case 1: --- rx = /a/; Object.defineProperty(rx, Symbol.match, { get() { print("OK"); } }); rx[Symbol.split]("abba"); --- Expected: Prints "OK" Actual: "OK" not printed Calling ToUint32(separator) can invalidate the fast-path assumptions in RegExp.prototype[Symbol.split]. Test case 2: --- rx = /a/; r = rx[Symbol.split]("abba", {valueOf() { RegExp.prototype.exec = () => null; return 100; }}); print(r.length); --- Expected: Prints "1" Actual: Prints "3"
|
Assignee | |
Comment 1•8 years ago
|
||
Added RegExpInstanceOptimizable call in IsRegExpSplitOptimizable, to check if |this| RegExp object has no extra property. So that slow path is used when |this| has modified @@match getter.
Assignee: nobody → arai.unmht
Attachment #8772230 -
Flags: review?(hv1989)
|
|
Assignee | |
Comment 2•8 years ago
|
||
As ToInt32(limit) is performed *after* checking whether optimizable or not, changed not to use optimized path if limit is neither undefined nor number.
Attachment #8772231 -
Flags: review?(hv1989)
|
|
Assignee | |
Comment 3•8 years ago
|
||
bug 887016 was landed to firefox48, but backed out from firefox48 by bug 1265307, so this bug affects from firefox49.
Blocks: 887016
status-firefox48:
--- → unaffected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → unaffected
|
||
Updated•8 years ago
|
Attachment #8772231 -
Flags: review?(hv1989) → review+
|
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8772230 [details] [diff] [review] Part 1: Do not use RegExp.prototype[@@split] optimized path if |this| object has extra property. Review of attachment 8772230 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay on these patches. Thanks!
Attachment #8772230 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b77ef6ac23ea2fc57246036dc7ae4dca98dbb19 Bug 1287525 - Part 1: Do not use RegExp.prototype[@@split] optimized path if |this| object has extra property. r=h4writer https://hg.mozilla.org/integration/mozilla-inbound/rev/75976803569d9626c1ac5f495a69b0936321ed9e Bug 1287525 - Part 2: Do not use RegExp.prototype[@@split] optimized path if limit is not number. r=h4writer
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1b77ef6ac23e https://hg.mozilla.org/mozilla-central/rev/75976803569d
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•