[webkit-changes] [WebKit/WebKit] 293d5d: [JSC] DFG String#charAt should support out-of-bounds

Tue Jun 27 19:58:03 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 293d5d8cb3904456aa590d93825f4378bd104182
      https://github.com/WebKit/WebKit/commit/293d5d8cb3904456aa590d93825f4378bd104182
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-06-27 (Tue, 27 Jun 2023)

  Changed paths:
    A JSTests/stress/string-charat-oob.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] DFG String#charAt should support out-of-bounds
https://bugs.webkit.org/show_bug.cgi?id=201678
rdar://111421698

Reviewed by Keith Miller.

This patch adds String#charAt OOB handling. Unlike `string[0]` case,
String#charAt always returns empty string when it is out-of-bounds index.
This is great since,

1. DFG AI just says it returns string regardless of whether it is OOB.
2. We do not need to consider OutOfBounds OSR exit. Let's just return empty string if it is OOB.

* JSTests/stress/string-charat-oob.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl):

Canonical link: https://commits.webkit.org/265572@main