Bug 1263340 - Part 5: Check RegExp.prototype.flags getter in RegExpPrototypeOptimizable. r=till

js/src/builtin/RegExp.cpp

@@ -14,6 +14,7 @@
 #include "irregexp/RegExpParser.h"
 #include "jit/InlinableNatives.h"
 #include "vm/RegExpStatics.h"
+#include "vm/SelfHosting.h"
 #include "vm/StringBuffer.h"
 #include "vm/Unicode.h"
 
@@ -1582,6 +1583,15 @@ js::RegExpPrototypeOptimizableRaw(JSContext* cx, JSObject* proto, uint8_t* resul
         return true;
     }
 
+    JSFunction* flagsGetter;
+    if (!GetGetterPure(cx, proto, NameToId(cx->names().flags), &flagsGetter))
+        return false;
+
+    if (!IsSelfHostedFunctionWithName(flagsGetter, cx->names().RegExpFlagsGetter)) {
+        *result = false;
+        return true;
+    }
+
     JSNative globalGetter;
     if (!GetOwnNativeGetterPure(cx, proto, NameToId(cx->names().global), &globalGetter))
         return false;

js/src/builtin/RegExp.js

@@ -151,6 +151,7 @@ function RegExpMatch(string) {
 
 // Checks if following properties and getters are not modified, and accessing
 // them not observed by content script:
+//   * flags
 //   * global
 //   * ignoreCase
 //   * multiline

js/src/vm/CommonPropertyNames.h

@@ -245,6 +245,7 @@
     macro(raw, raw, "raw") \
     macro(reason, reason, "reason") \
     macro(RegExpBuiltinExec, RegExpBuiltinExec, "RegExpBuiltinExec") \
+    macro(RegExpFlagsGetter, RegExpFlagsGetter, "RegExpFlagsGetter") \
     macro(RegExpMatcher, RegExpMatcher, "RegExpMatcher") \
     macro(RegExpSearcher, RegExpSearcher, "RegExpSearcher") \
     macro(RegExpTester, RegExpTester, "RegExpTester") \

js/src/vm/RegExpObject.h

@@ -328,6 +328,7 @@ class RegExpCompartment
 
     /*
      * The shape of RegExp.prototype object that satisfies following:
+     *   * RegExp.prototype.flags getter is not modified
      *   * RegExp.prototype.global getter is not modified
      *   * RegExp.prototype.ignoreCase getter is not modified
      *   * RegExp.prototype.multiline getter is not modified