New issue
Advanced search Search tips

Issue 907016 link

Starred by 1 user
Status: Duplicate
Owner:
jarin@chromium.org
Closed: Nov 20
Cc:
bmeu...@chromium.org
jgruber@chromium.org
jarin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

RegExp.test fastpath not taken by default

Project Member Reported by sroett...@google.com, Nov 20 
Chrome Version: https://chromium.googlesource.com/v8/v8.git/+/a8a05aff3c678a9566519c876bf3299b5b8c08af%5E%21/
OS: any

The commit above introduced a bug in the regexp.test fast path handling. I.e. the following javascript triggers a CSA_ASSERT:

```
function foo() {
  let r = /asdf/;
  r.exec = console.log;
  return r.test('asdf');
}
try {foo();} catch {}
%OptimizeFunctionOnNextCall(foo);
foo();
```

v8/out/x64.debug/d8 --allow-natives-syntax test.js
abort: CSA_ASSERT failed: IsFastRegExpWithOriginalExec(context, regexp) [../../src/builtins/builtins-regexp-gen.cc:1774]

It's supposed to take the fast path if exec is a DataConstant and it's pointing to RegExp.prototype.regex. However, the code is checking that it's _not_ pointing to RegExp.prototype.regex by accident:
+  if (ai_exec.IsDataConstant()) {
+    if (ai_exec.constant().is_identical_to(isolate()->regexp_exec_function())) {
+      return NoChange();
+    }
+  } [...]
   do_fastpath();

So in the common case, the fastpath is never taken.

To fix, add a logical not to the check:
- if (ai_exec.constant().is_identical_to(isolate()->regexp_exec_function())) {
+ if (!ai_exec.constant().is_identical_to(isolate()->regexp_exec_function())) {

Comment 1 by bmeu...@chromium.org, Nov 20

Owner: jarin@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by bmeu...@chromium.org, Nov 20

Cc: jgruber@chromium.org

Comment 3 by jarin@google.com, Nov 20

Mergedinto: 906893
Status: Duplicate (was: Assigned)
This has been already fixed.

Sign in to add a comment