Bug 191731

Summary:

RegExp operations should not take fast patch if lastIndex is not numeric.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, joepeck, keith_miller, msaboff, saam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	none

Mark Lam

Reported 2018-11-15 18:11:14 PST

This is because if lastIndex is an object with a valueOf() method, it can execute arbitrary code and side effects not permitted by the RegExp fast paths. <rdar://problem/46017305>

Attachments
proposed patch. (6.42 KB, patch) 2018-11-15 18:20 PST, Mark Lam	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2018-11-15 18:20:21 PST

Created attachment 355010 [details] proposed patch.

Saam Barati

Comment 2 2018-11-15 20:02:09 PST

Comment on attachment 355010 [details] proposed patch. r=me

Mark Lam

Comment 3 2018-11-15 21:13:19 PST

Thanks for the review. Landed in r238267: <http://trac.webkit.org/r238267>.

Saam Barati

Comment 4 2018-11-16 11:43:46 PST

Comment on attachment 355010 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=355010&action=review > JSTests/ChangeLog:3 > + RegExp operations should not take fast patch if lastIndex is not numeric. oops, this should be "path" not "patch"

Note You need to log in before you can comment on or make changes to this bug.