[turbofan] Fix correctness issue in startsWith

This CL fixes a previous change in String.prototype.startsWith which didn't throw an exception (in the optimized version) when `undefined` was passed as a receiver and the search string was the empty string. Bug: chromium:1230260 Change-Id: I835bd409b09b78bf7235c77596f62b588c95611d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040841 Commit-Queue: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Auto-Submit: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75818}

[turbofan] Fix correctness issue in startsWith
This CL fixes a previous change in String.prototype.startsWith which didn't throw an exception (in the optimized version) when `undefined` was passed as a receiver and the search string was the empty string. Bug: chromium:1230260 Change-Id: I835bd409b09b78bf7235c77596f62b588c95611d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040841 Commit-Queue: Maya Lekova <mslekova@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Auto-Submit: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75818}
e9acaed6 · Maya Lekova · V8 LUCI CQ · 334b94e1 · e9acaed6 · e9acaed6
Commit e9acaed6 authored Jul 20, 2021 by Maya Lekova Committed by V8 LUCI CQ Jul 20, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 7 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +6 -7

regress-crbug-1230260.js test/mjsunit/compiler/regress-crbug-1230260.js +21 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -6424,19 +6424,18 @@ Reduction JSCallReducer::ReduceStringPrototypeStartsWith(Node* node) {
    if (target_ref.IsString()) {
      StringRef str = target_ref.AsString();
      if (str.length().has_value()) {
+        receiver = effect = graph()->NewNode(
+            simplified()->CheckString(p.feedback()), receiver, effect, control);
+
+        position = effect = graph()->NewNode(
+            simplified()->CheckSmi(p.feedback()), position, effect, control);
+
        if (str.length().value() == 0) {
          Node* value = jsgraph()->TrueConstant();
          ReplaceWithValue(node, value, effect, control);
          return Replace(value);
        }
        if (str.length().value() == 1) {
-          receiver = effect =
-              graph()->NewNode(simplified()->CheckString(p.feedback()),
-                               receiver, effect, control);
-
-          position = effect = graph()->NewNode(
-              simplified()->CheckSmi(p.feedback()), position, effect, control);
-
          Node* string_length =
              graph()->NewNode(simplified()->StringLength(), receiver);
          Node* unsigned_position = graph()->NewNode(

--- a/test/mjsunit/compiler/regress-crbug-1230260.js
+++ b/test/mjsunit/compiler/regress-crbug-1230260.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --no-lazy-feedback-allocation
+
+function foo() {
+  String.prototype.startsWith.call(undefined, "");
+}
+%PrepareFunctionForOptimization(foo);
+assertThrows(foo);
+%OptimizeFunctionOnNextCall(foo);
+assertThrows(foo);
+
+function bar() {
+  "bla".startsWith("", Symbol(''));
+}
+%PrepareFunctionForOptimization(bar);
+assertThrows(bar);
+%OptimizeFunctionOnNextCall(bar);
+assertThrows(bar);