f8d1169622
@@replace should only call ToString(replaceValue) once. Prior to this CL this was not the case when 1. the given regexp is fast 2. the replacement is not callable 3. and its string representation contains a '$'. In such a situation we'd call ToString both in the RegExpReplace builtin, and after bailing out again in the RegExpReplaceRT runtime function. The fix is to pass the result of ToString(replaceValue) to the runtime function. ToString in RegExpReplaceRT will be a no-op since the value is already guaranteed to be a string. Bug: chromium:947822 Change-Id: I14b4932a5ee29e49de4c2131dc2e98b50d93da49 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559739 Auto-Submit: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#60733}
19 lines
451 B
JavaScript
19 lines
451 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let cnt = 0;
|
|
const re = /x/y;
|
|
const replacement = {
|
|
toString: () => {
|
|
cnt++;
|
|
if (cnt == 2) {
|
|
re.lastIndex = { valueOf: () => { re.x = -1073741825; return 7; }};
|
|
}
|
|
return 'y$';
|
|
}
|
|
};
|
|
|
|
const str = re[Symbol.replace]("x", replacement);
|
|
assertEquals(str, "y$");
|