Bug 191731

Summary: RegExp operations should not take fast patch if lastIndex is not numeric.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, joepeck, keith_miller, msaboff, sbarati, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch. none

Description Mark Lam 2018-11-15 18:11:14 PST
This is because if lastIndex is an object with a valueOf() method, it can execute arbitrary code and side effects not permitted by the RegExp fast paths.

<rdar://problem/46017305>
Comment 1 Mark Lam 2018-11-15 18:20:21 PST
Created attachment 355010 [details]
proposed patch.
Comment 2 Saam Barati 2018-11-15 20:02:09 PST
Comment on attachment 355010 [details]
proposed patch.

r=me
Comment 3 Mark Lam 2018-11-15 21:13:19 PST
Thanks for the review.  Landed in r238267: <http://trac.webkit.org/r238267>.
Comment 4 Saam Barati 2018-11-16 11:43:46 PST
Comment on attachment 355010 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=355010&action=review

> JSTests/ChangeLog:3
> +        RegExp operations should not take fast patch if lastIndex is not numeric.

oops, this should be "path" not "patch"