[regexp] Fix invalid lastIndex handling in RegExp.p[@@replace]

The RegExp replace implementation is a bit of a mess. Here, we first try to handle parts of RegExp.p.exec, and then call directly into the raw irregexp code (skipping RegExp.p.exec). We got parts of this wrong: when lastIndex > string.length and the regexp instance is sticky, two things should happen. 1. The match should fail, and 2. lastIndex should be reset to 0. On the fast path, we did the latter but not the former, instead running exec with a lastIndex of 0. This CL omits the irregexp call in this case, and defaults to a failed match instead. Bug: chromium:875493 Change-Id: I8c959610d267575e37686076a3fd5dfde322f0ca Reviewed-on: https://chromium-review.googlesource.com/1180889 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Mathias Bynens <mathias@chromium.org> Cr-Commit-Position: refs/heads/master@{#55207}

[regexp] Fix invalid lastIndex handling in RegExp.p[@@replace]
The RegExp replace implementation is a bit of a mess. Here, we first try to handle parts of RegExp.p.exec, and then call directly into the raw irregexp code (skipping RegExp.p.exec). We got parts of this wrong: when lastIndex > string.length and the regexp instance is sticky, two things should happen. 1. The match should fail, and 2. lastIndex should be reset to 0. On the fast path, we did the latter but not the former, instead running exec with a lastIndex of 0. This CL omits the irregexp call in this case, and defaults to a failed match instead. Bug: chromium:875493 Change-Id: I8c959610d267575e37686076a3fd5dfde322f0ca Reviewed-on: https://chromium-review.googlesource.com/1180889 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Mathias Bynens <mathias@chromium.org> Cr-Commit-Position: refs/heads/master@{#55207}
d74a9fd5 · jgruber · Commit Bot · 3b336a2e · d74a9fd5 · d74a9fd5
Commit d74a9fd5 authored Aug 20, 2018 by jgruber Committed by Commit Bot Aug 20, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 7 deletions

runtime-regexp.cc src/runtime/runtime-regexp.cc +11 -7

regress-875493.js test/mjsunit/regress/regress-875493.js +20 -0

No files found.
--- a/src/runtime/runtime-regexp.cc
+++ b/src/runtime/runtime-regexp.cc
@@ -1323,15 +1323,19 @@ V8_WARN_UNUSED_RESULT MaybeHandle<String> RegExpReplace(
                                 Object::ToLength(isolate, last_index_obj),
                                 String);
      last_index = PositiveNumberToUint32(*last_index_obj);
-
-      if (last_index > static_cast<uint32_t>(string->length())) last_index = 0;
    }

-    Handle<Object> match_indices_obj;
-    ASSIGN_RETURN_ON_EXCEPTION(
-        isolate, match_indices_obj,
-        RegExpImpl::Exec(isolate, regexp, string, last_index, last_match_info),
-        String);
+    Handle<Object> match_indices_obj(ReadOnlyRoots(isolate).null_value(),
+                                     isolate);
+
+    // A lastIndex exceeding the string length always always returns null
+    // (signalling failure) in RegExpBuiltinExec, thus we can skip the call.
+    if (last_index <= static_cast<uint32_t>(string->length())) {
+      ASSIGN_RETURN_ON_EXCEPTION(isolate, match_indices_obj,
+                                 RegExpImpl::Exec(isolate, regexp, string,
+                                                  last_index, last_match_info),
+                                 String);
+    }

    if (match_indices_obj->IsNull(isolate)) {
      if (sticky) regexp->set_last_index(Smi::kZero, SKIP_WRITE_BARRIER);

--- a/test/mjsunit/regress/regress-875493.js
+++ b/test/mjsunit/regress/regress-875493.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function test() {
+  const re = /./y;
+  re.lastIndex = 3;
+  const str = 'fg';
+  return re[Symbol.replace](str, '$');
+}
+
+%SetForceSlowPath(false);
+const fast = test();
+%SetForceSlowPath(true);
+const slow = test();
+%SetForceSlowPath(false);
+
+assertEquals(slow, fast);