[webkit-changes] [WebKit/WebKit] a37896: [JSC] DFG strength reduction should not clobber la...

Thu, 12 Mar 2026 21:36:03 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a3789656ce600631840823d5ead9f48fc8ea0773
      
https://github.com/WebKit/WebKit/commit/a3789656ce600631840823d5ead9f48fc8ea0773
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-03-12 (Thu, 12 Mar 2026)

  Changed paths:
    A 
JSTests/stress/dfg-strength-reduction-regexp-new-regexp-last-index-overwrite.js
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

  Log Message:
  -----------
  [JSC] DFG strength reduction should not clobber lastIndex found via 
SetRegExpObjectLastIndex
https://bugs.webkit.org/show_bug.cgi?id=309857

Reviewed by Yusuke Suzuki.

When folding RegExpExec/RegExpTest to a constant, DFG strength reduction
performs a backward scan to discover the lastIndex value at the point of
the operation. If it finds a SetRegExpObjectLastIndex node, it correctly
picks up that value.

However, after the scan, the old code would unconditionally overwrite
lastIndex with NewRegExp's child1 constant. This destroyed the value
discovered by the scan, causing the fold to use lastIndex=0 even when
the program had assigned a different value.

    var re = /a/g;
    re.lastIndex = 1;
    re.test("a"); // noDFG: false, DFG/FTL: true

The overwrite existed to correct a different problem: the backward scan
hardcoded lastIndex=0 when reaching the NewRegExp node itself, which is
wrong after ObjectAllocationSinking. That phase materializes NewRegExp
with child1 set to the tracked lastIndex value, not necessarily 0.

Fix by reading child1 at the point where the scan reaches NewRegExp,
instead of hardcoding 0 and correcting it later.

Test: 
JSTests/stress/dfg-strength-reduction-regexp-new-regexp-last-index-overwrite.js

* 
JSTests/stress/dfg-strength-reduction-regexp-new-regexp-last-index-overwrite.js:
 Added.
(shouldBe):
(testGlobal):
(testSticky):
(testExecGlobal):
(testStickyMidString):
(testGlobalLastIndexUpdated):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

Canonical link: https://commits.webkit.org/309179@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to