246274 – String.prototype.replace should not take fast path if the pattern is RegExp Object and the lastIndex is not numeric

Bug 246274 - String.prototype.replace should not take fast path if the pattern is RegExp Object and the lastIndex is not numeric

Summary: String.prototype.replace should not take fast path if the pattern is RegExp O...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	BrowserCompat, InRadar

Depends on:
Blocks:

Reported:	2022-10-10 04:52 PDT by EntryHi
Modified:	2024-02-23 13:29 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description EntryHi 2022-10-10 04:52:57 PDT

for (let i = 0; i < 3000; ++i) {
  let r = /abcd/;
  regexLastIndex = {};
  regexLastIndex.toString = function () {
    print(i)
    return "1";
  };
  r.lastIndex = regexLastIndex;
  "test".replace(r, "cons")
}

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0

This bug is similar to 191731, but they are different. The above js scripts should print 0-2999, but jsc only prints 0-2209.

In DFGBytecodeParser, replace is inlined into StringReplace node. In DFGStrengthReduction, StringReplace is converted to Identity.
So after DFG, lastIndex is no longer read and updated. Therefore, regexLastIndex.toString is no longer invoked.

Comment 1 Karl Dubost 2022-10-13 03:07:42 PDT

Modified to run in the browser console. 

```
for (let i = 0; i < 3000; ++i) {
  let r = /abcd/;
  regexLastIndex = {};
  regexLastIndex.toString = function () {
    console.log(i)
    return "1";
  };
  r.lastIndex = regexLastIndex;
  "test".replace(r, "cons")
}
```

Safari result is random
Both Firefox and Chrome print until 2999.

Tested on macOS 13.0
---
Safari Technology Preview  155           18615.1.7.1
Firefox Nightly            107.0a1       10722.10.4
Google Chrome Canary       108.0.5355.0  5355.0

Comment 2 Radar WebKit Bug Importer 2022-10-13 05:28:55 PDT

<rdar://problem/101122567>

Comment 3 Sosuke Suzuki 2024-02-22 10:51:10 PST

Pull request: https://github.com/WebKit/WebKit/pull/24959

Comment 4 EWS 2024-02-23 13:29:32 PST

Committed 275255@main (3790f1e3cc0a): <https://commits.webkit.org/275255@main>

Reviewed commits have been landed. Closing PR #24959 and removing active labels.