6f08b6471f
The assumption behind this optimization was invalid. Even if the string's prototype is unchanged, the symbol could exist somewhere further up the prototype chain. GetProperty has been sped up significantly so it might be fine to just skip this fast path. An alternative would be to use a protector cell. Bug: v8:8357 Change-Id: Ia577107a58157350eb15780c02aa63d77e600637 Reviewed-on: https://chromium-review.googlesource.com/c/1301498 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#57038}
32 lines
726 B
JavaScript
32 lines
726 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
const s = "Umbridge has been reading your mail, Harry."
|
|
|
|
{
|
|
let monkey_called = false;
|
|
s.__proto__.__proto__[Symbol.replace] =
|
|
() => { monkey_called = true; };
|
|
s.replace(s);
|
|
assertTrue(monkey_called);
|
|
}
|
|
|
|
{
|
|
let monkey_called = false;
|
|
s.__proto__.__proto__[Symbol.search] =
|
|
() => { monkey_called = true; };
|
|
s.search(s);
|
|
assertTrue(monkey_called);
|
|
}
|
|
|
|
{
|
|
let monkey_called = false;
|
|
s.__proto__.__proto__[Symbol.match] =
|
|
() => { monkey_called = true; };
|
|
s.match(s);
|
|
assertTrue(monkey_called);
|
|
}
|