[Webkit-unassigned] [Bug 244187] New: JSC DFG node RegExpTest should compute lastIndex first in RegExpObject::matchInline

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 22 02:08:49 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=244187

            Bug ID: 244187
           Summary: JSC DFG node RegExpTest should compute lastIndex first
                    in RegExpObject::matchInline
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

let outer=0
function foo(r, s) {
  r.test(s);
  return outer;
}
noInline(foo);
for (let i = 0; i < 50; ++i) {
  let r = /test/;
  regexLastIndex = {};
  regexLastIndex.toString = function () {
    outer = 1;
  };
  r.lastIndex = regexLastIndex;
  let result = foo(r, "bar");
  print(result)
  outer = 2
}

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1


Interpreter and JIT print out different results. In the interpreter, regexLastIndex.toString is executed, while JIT does not execute regexLastIndex.toString, so the results are inconsistent.

According to the ECMAScript Language Specification, the implementation of Regex.prototype.test depends on the result of Regex.prototype.exec. If exec returns null, test returns false. In exec, whether it is global mode or sticky mode, the lastIndex will be computed first, and this step will eventually execute to JSObject::ordinaryToPrimitive and call toString.

But in JIT, DFG introduces a RegExpTest node. The implementation of this node does not depend on RegExpExec. RegExpTest will invoke RegExpObject::matchInline. When the mode is non global and non sticky, the lastIndex will not be computed, so toString will not be invoked. This leads to inconsistencies between interpreter and JIT. The interpreter will execute the logic in toString, while the JIT phase does not execute the toString logic, making the result inconsistent.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220822/11f432bf/attachment.htm>

More information about the webkit-unassigned mailing list