v8/regress-758763.js at 6d33cb89a4eee84180c2516d5966ae38f272c0a1 - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Jakob Gruber c7a7bf6af0 [regexp] Pass correct limit to Runtime::kRegExpSplit

The Uint32(limit) conversion can end up transitioning the regexp
instance to slow mode. In this case we need to bail out to runtime while
ensuring that ToUint32 is not observably called a second time. We do
this by passing the already-converted value to runtime.

This particular path was broken and we ended up passing the original
maybe_limit value to runtime instead.

TBR=yangguo@chromium.org

Bug: chromium:758763
Change-Id: If7f23b452d2e134ad9be3d4ef1d78d1c946fcef0
Reviewed-on: https://chromium-review.googlesource.com/635588
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47609}

2017-08-25 13:59:43 +00:00

8 lines

277 B

JavaScript

Raw Blame History

 // Copyright 2017 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 const re = /./g;
 function toSlowMode() { re.slow = true; }
 re[Symbol.split]("abc", { valueOf: toSlowMode });