Fix leaking lastIndex values in RegExp built-ins (#4166)

JerryScript-DCO-1.0-Signed-off-by: Dániel Bátyai daniel.batyai@h-lab.eu
2020-08-28 13:09:53 +02:00
parent 6d0e948bef
commit e98f5342f9
3 changed files with 58 additions and 17 deletions
@@ -567,7 +567,6 @@ ecma_make_length_value (ecma_length_t number) /**< number to be encoded */
    return ecma_make_integer_value ((ecma_integer_value_t) number);
  }

-  JERRY_ASSERT (number <= ECMA_NUMBER_MAX_SAFE_INTEGER);
  return ecma_create_float_number ((ecma_number_t) number);
 } /* ecma_make_length_value */

@@ -2263,11 +2263,14 @@ ecma_regexp_split_helper (ecma_value_t this_arg, /**< this value */
  while (current_index < string_length)
  {
    /* 24.a-b. */
+    ecma_value_t index_value = ecma_make_length_value (current_index);
    result = ecma_op_object_put (splitter_obj_p,
                                 lastindex_str_p,
-                                 ecma_make_length_value (current_index),
+                                 index_value,
                                 true);

+    ecma_free_value (index_value);
+
    if (ECMA_IS_VALUE_ERROR (result))
    {
      goto cleanup_array;
@@ -2771,11 +2774,14 @@ ecma_regexp_replace_helper_fast (ecma_replace_context_t *ctx_p, /**<replace cont
 #if ENABLED (JERRY_ESNEXT)
        if (JERRY_UNLIKELY ((re_ctx.flags & RE_FLAG_STICKY) != 0))
        {
+          ecma_value_t index_value = ecma_make_length_value (index);
          result = ecma_op_object_put ((ecma_object_t *) re_obj_p,
                                       ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
-                                       ecma_make_length_value (index),
+                                       index_value,
                                       true);

+          ecma_free_value (index_value);
+
          if (ECMA_IS_VALUE_ERROR (result))
          {
            goto cleanup_builder;
@@ -3063,24 +3069,28 @@ ecma_regexp_replace_helper (ecma_value_t this_arg, /**< this argument */
        goto cleanup_results;
      }

+      ecma_value_t last_index = result;
+
      ecma_length_t index;
-      if (ECMA_IS_VALUE_ERROR (ecma_op_to_length (result, &index)))
+      result = ecma_op_to_length (last_index, &index);
+      ecma_free_value (last_index);
+
+      if (ECMA_IS_VALUE_ERROR (result))
      {
-        ecma_free_value (result);
-        result = ECMA_VALUE_ERROR;
        goto cleanup_results;
      }

-      ecma_free_value (result);
-
      index = ecma_op_advance_string_index (string_p, index, (replace_ctx.flags & RE_FLAG_UNICODE) != 0);
+      last_index = ecma_make_length_value (index);

      /* 10.d.iii.3.c */
      result = ecma_op_object_put (this_obj_p,
                                   ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
-                                   ecma_make_length_value (index),
+                                   last_index,
                                   true);

+      ecma_free_value (last_index);
+
      if (ECMA_IS_VALUE_ERROR (result))
      {
        goto cleanup_results;
@@ -3469,18 +3479,18 @@ ecma_regexp_match_helper (ecma_value_t this_arg, /**< this argument */

    if (is_match_empty)
    {
-      ecma_value_t this_index = ecma_op_object_get_by_magic_id (obj_p, LIT_MAGIC_STRING_LASTINDEX_UL);
+      ecma_value_t last_index = ecma_op_object_get_by_magic_id (obj_p, LIT_MAGIC_STRING_LASTINDEX_UL);

-      if (ECMA_IS_VALUE_ERROR (this_index))
+      if (ECMA_IS_VALUE_ERROR (last_index))
      {
        goto result_cleanup;
      }

 #if ENABLED (JERRY_ESNEXT)
      ecma_length_t index;
-      ecma_value_t length_value = ecma_op_to_length (this_index, &index);
+      ecma_value_t length_value = ecma_op_to_length (last_index, &index);

-      ecma_free_value (this_index);
+      ecma_free_value (last_index);

      if (ECMA_IS_VALUE_ERROR (length_value))
      {
@@ -3489,20 +3499,23 @@ ecma_regexp_match_helper (ecma_value_t this_arg, /**< this argument */

      index = ecma_op_advance_string_index (str_p, index, full_unicode);

+      last_index = ecma_make_length_value (index);
      ecma_value_t next_set_status = ecma_op_object_put (obj_p,
                                                         ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
                                                         ecma_make_length_value (index),
                                                         true);
 #else /* !ENABLED (JERRY_ESNEXT) */
-      ecma_number_t next_index = ecma_get_number_from_value (this_index);
+      ecma_number_t index = ecma_get_number_from_value (last_index);
+      ecma_free_value (last_index);

+      last_index = ecma_make_number_value (index + 1);
      ecma_value_t next_set_status = ecma_op_object_put (obj_p,
                                                         ecma_get_magic_string (LIT_MAGIC_STRING_LASTINDEX_UL),
-                                                         ecma_make_number_value (next_index + 1),
+                                                         last_index,
                                                         true);

-      ecma_free_value (this_index);
 #endif /* ENABLED (JERRY_ESNEXT) */
+      ecma_free_value (last_index);

      if (ECMA_IS_VALUE_ERROR (next_set_status))
      {
@@ -721,4 +721,33 @@ assert(r[Symbol.replace]("aaaa", function(match, index) {
 }) === "baaa");

 assert (replaceCalled);
-assert (r.lastIndex === 2)
+assert (r.lastIndex === 2);
+
+(function () {
+  var r = /./g;
+  var execWasCalled = false;
+  var coercibleIndex = {
+    valueOf: function() {
+      return Math.pow(2, 54);
+    },
+  };
+
+  var result = {
+    length: 1,
+    0: '',
+    index: 0,
+  };
+
+  r.exec = function() {
+    if (execWasCalled) {
+      return null;
+    }
+
+    r.lastIndex = coercibleIndex;
+    execWasCalled = true;
+    return result;
+  };
+
+  assert(r[Symbol.replace]('', '') === '');
+  assert(r.lastIndex === Math.pow(2, 53));
+})();