[builtins] Fix missing ToString in RegExp.p.match

It is not safe to assume the first match is a string just because the RegExp result is fast. Bug: chromium:831943 Change-Id: Idd40f8b75312f0be54f45f626dc017339033abc6 Reviewed-on: https://chromium-review.googlesource.com/1009325 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Peter Wong <peter.wm.wong@gmail.com> Cr-Commit-Position: refs/heads/master@{#52578}
2018-04-11 20:59:25 -07:00 · 2018-04-11 20:59:25 -07:00 · 7bdbe77a3f
commit 7bdbe77a3f
parent 8c25fefbd8
2 changed files with 15 additions and 4 deletions
--- a/src/builtins/builtins-regexp-gen.cc
+++ b/src/builtins/builtins-regexp-gen.cc
@ -1875,10 +1875,7 @@ void RegExpBuiltinsAssembler::RegExpPrototypeMatchBody(Node* const context,
            Node* const result_fixed_array = LoadElements(result);
            Node* const match = LoadFixedArrayElement(result_fixed_array, 0);

-            // The match is guaranteed to be a string on the fast path.
-            CSA_ASSERT(this, IsString(match));
-
-            var_match.Bind(match);
+            var_match.Bind(ToString_Inline(context, match));
            Goto(&if_didmatch);
          }

--- a/test/mjsunit/regress/regress-crbug-831943.js
+++ b/test/mjsunit/regress/regress-crbug-831943.js
@ -0,0 +1,14 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+class MyRegExp extends RegExp {
+  exec(str) {
+    const r = super.exec.call(this, str);
+    if (r) r[0] = 0;
+    return r;
+  }
+}
+
+const result = 'a'.match(new MyRegExp('.', 'g'));
+assertArrayEquals(result, ['0']);