NEW 244187
JSC DFG node RegExpTest should compute lastIndex first in RegExpObject::matchInline
https://bugs.webkit.org/show_bug.cgi?id=244187
Summary JSC DFG node RegExpTest should compute lastIndex first in RegExpObject::match...
EntryHi
Reported 2022-08-22 02:08:49 PDT
let outer=0 function foo(r, s) { r.test(s); return outer; } noInline(foo); for (let i = 0; i < 50; ++i) { let r = /test/; regexLastIndex = {}; regexLastIndex.toString = function () { outer = 1; }; r.lastIndex = regexLastIndex; let result = foo(r, "bar"); print(result) outer = 2 } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0 ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1 Interpreter and JIT print out different results. In the interpreter, regexLastIndex.toString is executed, while JIT does not execute regexLastIndex.toString, so the results are inconsistent. According to the ECMAScript Language Specification, the implementation of Regex.prototype.test depends on the result of Regex.prototype.exec. If exec returns null, test returns false. In exec, whether it is global mode or sticky mode, the lastIndex will be computed first, and this step will eventually execute to JSObject::ordinaryToPrimitive and call toString. But in JIT, DFG introduces a RegExpTest node. The implementation of this node does not depend on RegExpExec. RegExpTest will invoke RegExpObject::matchInline. When the mode is non global and non sticky, the lastIndex will not be computed, so toString will not be invoked. This leads to inconsistencies between interpreter and JIT. The interpreter will execute the logic in toString, while the JIT phase does not execute the toString logic, making the result inconsistent.
Attachments
Radar WebKit Bug Importer
Comment 1 2022-08-29 02:09:16 PDT
Note You need to log in before you can comment on or make changes to this bug.