557e79ca19
This fixes a spec bug in which the order of calls to 1) the flag getter and 2) ToUint32(limit) was incorrect if ToUint32 pushes the regexp instance onto the slow path. We are now more restrictive and completely avoid ToUint32 on the fast path. Bug: chromium:801171 Change-Id: I21d15fe566754d2bc05853f895636bb882fbf599 Reviewed-on: https://chromium-review.googlesource.com/863644 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#50533}
21 lines
622 B
JavaScript
21 lines
622 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
let called_custom_unicode_getter = false;
|
|
const re = /./;
|
|
|
|
function f() {
|
|
re.__defineGetter__("unicode", function() {
|
|
called_custom_unicode_getter = true;
|
|
});
|
|
return 2;
|
|
}
|
|
|
|
assertEquals(["","",], re[Symbol.split]("abc", { valueOf: f }));
|
|
|
|
// The spec mandates retrieving the regexp instance's flags before
|
|
// ToUint(limit), i.e. the unicode getter must still be unmodified when
|
|
// flags are retrieved.
|
|
assertFalse(called_custom_unicode_getter);
|