Bug 191731

Summary:

RegExp operations should not take fast patch if lastIndex is not numeric.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, joepeck, keith_miller, msaboff, sbarati, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	none

Description Mark Lam 2018-11-15 18:11:14 PST

This is because if lastIndex is an object with a valueOf() method, it can execute arbitrary code and side effects not permitted by the RegExp fast paths.

<rdar://problem/46017305>

Comment 1 Mark Lam 2018-11-15 18:20:21 PST

Created attachment 355010 [details]
proposed patch.

Comment 2 Saam Barati 2018-11-15 20:02:09 PST

Comment on attachment 355010 [details]
proposed patch.

r=me

Comment 3 Mark Lam 2018-11-15 21:13:19 PST

Thanks for the review.  Landed in r238267: <http://trac.webkit.org/r238267>.

Comment 4 Saam Barati 2018-11-16 11:43:46 PST

Comment on attachment 355010 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=355010&action=review

> JSTests/ChangeLog:3
> +        RegExp operations should not take fast patch if lastIndex is not numeric.

oops, this should be "path" not "patch"