Missing property check before applying optimized RegExp.prototype[Symbol.split] code paths

RESOLVED FIXED in Firefox 50

Status

()

Core
JavaScript: Standard Library
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: anba, Assigned: arai)

Tracking

Trunk
mozilla50
Points:
---

Firefox Tracking Flags

(firefox48 unaffected, firefox49 affected, firefox-esr45 unaffected, firefox50 fixed)

Details

Attachments

(2 attachments)

(Reporter)

Description

a year ago
Calling IsRegExp in step 1 of https://tc39.github.io/ecma262/#sec-regexp-pattern-flags could trigger side-effects.


Test case 1:
---
rx = /a/;
Object.defineProperty(rx, Symbol.match, {
  get() {
    print("OK");
  }
});
rx[Symbol.split]("abba");
---

Expected: Prints "OK"
Actual: "OK" not printed



Calling ToUint32(separator) can invalidate the fast-path assumptions in RegExp.prototype[Symbol.split].


Test case 2:
---
rx = /a/;
r = rx[Symbol.split]("abba", {valueOf() {
  RegExp.prototype.exec = () => null;
  return 100;
}});
print(r.length);
---

Expected: Prints "1"
Actual: Prints "3"
(Assignee)

Comment 1

a year ago
Created attachment 8772230 [details] [diff] [review]
Part 1: Do not use RegExp.prototype[@@split] optimized path if |this| object has extra property.

Added RegExpInstanceOptimizable call in IsRegExpSplitOptimizable, to check if |this| RegExp object has no extra property.
So that slow path is used when |this| has modified @@match getter.
Assignee: nobody → arai.unmht
Attachment #8772230 - Flags: review?(hv1989)
(Assignee)

Comment 2

a year ago
Created attachment 8772231 [details] [diff] [review]
Part 2: Do not use RegExp.prototype[@@split] optimized path if limit is not number.

As ToInt32(limit) is performed *after* checking whether optimizable or not,
changed not to use optimized path if limit is neither undefined nor number.
Attachment #8772231 - Flags: review?(hv1989)
(Assignee)

Comment 3

a year ago
bug 887016 was landed to firefox48, but backed out from firefox48 by bug 1265307, so this bug affects from firefox49.
Blocks: 887016
status-firefox48: --- → unaffected
status-firefox49: --- → affected
status-firefox-esr45: --- → unaffected
Attachment #8772231 - Flags: review?(hv1989) → review+
Comment on attachment 8772230 [details] [diff] [review]
Part 1: Do not use RegExp.prototype[@@split] optimized path if |this| object has extra property.

Review of attachment 8772230 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay on these patches. Thanks!
Attachment #8772230 - Flags: review?(hv1989) → review+
(Assignee)

Comment 5

a year ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b77ef6ac23ea2fc57246036dc7ae4dca98dbb19
Bug 1287525 - Part 1: Do not use RegExp.prototype[@@split] optimized path if |this| object has extra property. r=h4writer

https://hg.mozilla.org/integration/mozilla-inbound/rev/75976803569d9626c1ac5f495a69b0936321ed9e
Bug 1287525 - Part 2: Do not use RegExp.prototype[@@split] optimized path if limit is not number. r=h4writer

Comment 6

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1b77ef6ac23e
https://hg.mozilla.org/mozilla-central/rev/75976803569d
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.