#2625 — 21.2.5.7 RegExp.prototype.replace, 21.2.5.2.1 RegExpExec: Dynamic flags retrieval is unsafe

bug_id: 2625
creation_ts: 2014-04-10 07:47:00 -0700
short_desc: 21.2.5.7 RegExp.prototype.replace, 21.2.5.2.1 RegExpExec: Dynamic flags retrieval is unsafe
delta_ts: 2014-04-29 22:20:25 -0700
product: Draft for 6th Edition
component: technical issue
version: Rev 23: April 5, 2014 Draft
rep_platform: All
op_sys: All
bug_status: RESOLVED
resolution: FIXED
priority: Normal
bug_severity: normal
everconfirmed: true
reporter: André Bargull
assigned_to: Allen Wirfs-Brock

commentid: 7654
comment_count: 0
who: André Bargull
bug_when: 2014-04-10 07:47:49 -0700

21.2.5.7 RegExp.prototype.replace ( string, replaceValue )
21.2.5.2.1 Runtime Semantics: RegExpExec Abstract Operation

The dynamic regular expression flags retrieval with Get() is unsafe when it is performed multiple times, like in RegExp.prototype.replace().

Multiple solutions are possible:
- retrieve flags only once with Get()
- retrieve flags with internal [[OriginalFlags]] field
- change 21.2.5.7, step 16.d.xv to handle the case when nextSrcPosition > position

Expected: No error
Actual: Attempt to retrieve substring [start=8, end=0]

Test case:
---
var re = /test/;
var glob = true;
var c = 0;
Object.defineProperty(re, "global", {
get() {
c += 1;
if (c == 3) {
re.compile(/pre/);
}
if (c == 4) {
re.compile(/kaboom/);
}
var g = glob;
glob = false;
return g;
}
});
"pre-test".replace(re, function(){});
---

commentid: 7737
comment_count: 1
who: Allen Wirfs-Brock
bug_when: 2014-04-15 17:11:15 -0700

fixed in rev24 editor's draft.

Took the third alternative as subclasses could (either intentionally or unintentionally) also cause the position to move backs words changing the RegExp match algorithm it uses.

commentid: 8006
comment_count: 2
who: Allen Wirfs-Brock
bug_when: 2014-04-29 22:20:25 -0700

fixed in rev24

archives

#2625 — 21.2.5.7 RegExp.prototype.replace, 21.2.5.2.1 RegExpExec: Dynamic flags retrieval is unsafe