Bug 145352

Summary: String.prototype.charAt() should use StringView.
Product: WebKit Reporter: Andreas Kling <kling>
Component: JavaScriptCoreAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, kling
Priority: P2 Keywords: Performance
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Andreas Kling 2015-05-23 14:02:55 PDT 
String.prototype.charAt() currently always reifies JSString. This is wasteful if the JSString is a substring.
It also uses jsSingleCharacterSubstring() which is a counter-productive optimization, so let's remove that.
Comment 1 Andreas Kling 2015-05-23 14:11:09 PDT 
Created attachment 253651 [details]
Patch
Comment 2 WebKit Commit Bot 2015-05-26 11:54:17 PDT 
Comment on attachment 253651 [details]
Patch

Clearing flags on attachment: 253651

Committed r184865: <http://trac.webkit.org/changeset/184865>
Comment 3 WebKit Commit Bot 2015-05-26 11:54:20 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 4 Geoffrey Garen 2015-12-15 16:17:56 PST 
Comment on attachment 253651 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=253651&action=review

> Source/JavaScriptCore/runtime/StringPrototype.cpp:788
> +    StringView string = thisValue.toString(exec)->view(exec);

This code is wrong. It takes a temporary reference to a string's backing store, but nothing prevents that backing store from being deleted or garbage collected.

This code is only possible because JSString::SafeView will automatically convert to StringView, due to its operator StringView(). It is very weird that the safe type automatically converts to the unsafe type. That makes the safe type unsafe too.
Comment 5 Darin Adler 2015-12-15 16:35:37 PST 
Comment on attachment 253651 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=253651&action=review

>> Source/JavaScriptCore/runtime/StringPrototype.cpp:788
>> +    StringView string = thisValue.toString(exec)->view(exec);
> 
> This code is wrong. It takes a temporary reference to a string's backing store, but nothing prevents that backing store from being deleted or garbage collected.
> 
> This code is only possible because JSString::SafeView will automatically convert to StringView, due to its operator StringView(). It is very weird that the safe type automatically converts to the unsafe type. That makes the safe type unsafe too.

I spotted the same mistake in another patch recently.
Comment 6 Andreas Kling 2015-12-15 16:40:22 PST 
crab

That operator StringView() is kind of a footgun eh.
Comment 7 Darin Adler 2015-12-15 19:45:06 PST 
Oh, all we need to do is to make the return type be SafeView instead of StringView.
Comment 8 Darin Adler 2015-12-15 19:46:03 PST 
(In reply to comment #4)
> It is very weird
> that the safe type automatically converts to the unsafe type. That makes the
> safe type unsafe too.

The job of SafeView is to make code like this OK:

    function(value->view(exec));

It doesn’t make code with local variables safe. Perhaps we can find an even better solution.
Comment 9 Darin Adler 2015-12-15 19:46:26 PST 
(In reply to comment #7)
> Oh, all we need to do is to make the return type be SafeView instead of
> StringView.

local variable type, not return type

Never occurred to me to actually use SafeView as a local variable.