1ccf6c0943
This CL fixes two more cases in which a regexp could unintentionally transition to slow mode while on the fast path, leading to possible OOB accesses of lastIndex. In both cases, the fix is to re-check the shape and possibly bail to runtime. BUG=chromium:708247,v8:6210 Review-Url: https://codereview.chromium.org/2803603005 Cr-Commit-Position: refs/heads/master@{#44451}
35 lines
775 B
JavaScript
35 lines
775 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --predictable
|
|
|
|
const str = '2016-01-02';
|
|
|
|
function testToUint32InSplit() {
|
|
var re;
|
|
function toDictMode() {
|
|
re.x = 42;
|
|
delete re.x;
|
|
return "def";
|
|
}
|
|
|
|
re = /./g; // Needs to be global to trigger lastIndex accesses.
|
|
return re[Symbol.replace]("abc", { valueOf: toDictMode });
|
|
}
|
|
|
|
function testToStringInReplace() {
|
|
var re;
|
|
function toDictMode() {
|
|
re.x = 42;
|
|
delete re.x;
|
|
return 42;
|
|
}
|
|
|
|
re = /./g; // Needs to be global to trigger lastIndex accesses.
|
|
return re[Symbol.split]("abc", { valueOf: toDictMode });
|
|
}
|
|
|
|
testToUint32InSplit();
|
|
testToStringInReplace();
|