[turbofan] Add a type check to String.prototype.startsWith

The ReduceStringPrototypeStartsWith implementation in TurboFan
was doing the CheckString too late, after returning "false" in
case there are no arguments.

Fixed: chromium:1065741
Change-Id: I1016383d65120d3b050e76d6ac41986497af0b8d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2129639
Commit-Queue: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#66948}

src/compiler/js-call-reducer.cc

@@ -5810,19 +5810,24 @@ Reduction JSCallReducer::ReduceStringPrototypeStartsWith(Node* node) {
   if (p.speculation_mode() == SpeculationMode::kDisallowSpeculation) {
     return NoChange();
   }
+
+  Node* receiver = NodeProperties::GetValueInput(node, 1);
+  Node* effect = NodeProperties::GetEffectInput(node);
+  Node* control = NodeProperties::GetControlInput(node);
+
   if (node->op()->ValueInputCount() < 3) {
+    effect = graph()->NewNode(simplified()->CheckString(p.feedback()), receiver,
+                              effect, control);
+
     Node* value = jsgraph()->FalseConstant();
-    ReplaceWithValue(node, value);
+    ReplaceWithValue(node, value, effect, control);
     return Replace(value);
   }
 
-  Node* string = NodeProperties::GetValueInput(node, 1);
   Node* search_string = NodeProperties::GetValueInput(node, 2);
   Node* position = node->op()->ValueInputCount() >= 4
                        ? NodeProperties::GetValueInput(node, 3)
                        : jsgraph()->ZeroConstant();
-  Node* effect = NodeProperties::GetEffectInput(node);
-  Node* control = NodeProperties::GetControlInput(node);
 
   HeapObjectMatcher m(search_string);
   if (m.HasValue()) {
@@ -5830,13 +5835,14 @@ Reduction JSCallReducer::ReduceStringPrototypeStartsWith(Node* node) {
     if (target_ref.IsString()) {
       StringRef str = target_ref.AsString();
       if (str.length() == 1) {
-        string = effect = graph()->NewNode(
-            simplified()->CheckString(p.feedback()), string, effect, control);
+        receiver = effect = graph()->NewNode(
+            simplified()->CheckString(p.feedback()), receiver, effect, control);
+
         position = effect = graph()->NewNode(
             simplified()->CheckSmi(p.feedback()), position, effect, control);
 
         Node* string_length =
-            graph()->NewNode(simplified()->StringLength(), string);
+            graph()->NewNode(simplified()->StringLength(), receiver);
         Node* unsigned_position = graph()->NewNode(
             simplified()->NumberMax(), position, jsgraph()->ZeroConstant());
 
@@ -5856,7 +5862,7 @@ Reduction JSCallReducer::ReduceStringPrototypeStartsWith(Node* node) {
           Node* masked_position =
               graph()->NewNode(simplified()->PoisonIndex(), unsigned_position);
           Node* string_first = etrue =
-              graph()->NewNode(simplified()->StringCharCodeAt(), string,
+              graph()->NewNode(simplified()->StringCharCodeAt(), receiver,
                                masked_position, etrue, if_true);
 
           Node* search_first = jsgraph()->Constant(str.GetFirstChar());

test/mjsunit/regress/regress-crbug-1065741.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --opt
+
+function bar() {
+  String.prototype.startsWith.apply();
+}
+
+%PrepareFunctionForOptimization(bar);
+assertThrows(bar, TypeError);
+assertThrows(bar, TypeError);
+%OptimizeFunctionOnNextCall(bar);
+assertThrows(bar, TypeError);
+%PrepareFunctionForOptimization(bar);
+%OptimizeFunctionOnNextCall(bar);
+assertThrows(bar, TypeError);
+assertOptimized(bar);