Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 21b46f50939e307338b866ac8548e02d98f6a73f
https://github.com/WebKit/WebKit/commit/21b46f50939e307338b866ac8548e02d98f6a73f
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-13 (Sat, 13 Jun 2026)
Changed paths:
A
JSTests/stress/regexp-search-strength-reduction-lastIndex-frozen-mid-execution.js
A JSTests/stress/regexp-search-strength-reduction-lastIndex-not-writable.js
M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/RegExpObject.cpp
Log Message:
-----------
[JSC] DFG `RegExpSearch` constant folding drops `TypeError` for non-writable
lastIndex
https://bugs.webkit.org/show_bug.cgi?id=316496
Reviewed by Yusuke Suzuki.
RegExp.prototype[@@search] writes lastIndex (it sets it to 0 and restores it
afterwards), so it throws a TypeError when lastIndex is not writable. The
RegExpSearch DFG node speculates on this, but constant folding in
DFGStrengthReductionPhase dropped that speculation: after tier-up, making
lastIndex non-writable returned a result instead of throwing. Reachable via
both String.prototype.search and RegExp.prototype[Symbol.search].
Fix this with a new watchpoint set on JSGlobalObject, fired by
RegExpObject::defineOwnProperty when a lastIndex is made non-writable. The
fold just registers the watchpoint, so the generated code is exactly the
same as before this change. If the watchpoint has already been invalidated,
the fold instead emits a runtime guard that stores lastIndex back to itself,
which exits when lastIndex is not writable.
Tests:
JSTests/stress/regexp-search-strength-reduction-lastIndex-frozen-mid-execution.js
JSTests/stress/regexp-search-strength-reduction-lastIndex-not-writable.js
*
JSTests/stress/regexp-search-strength-reduction-lastIndex-frozen-mid-execution.js:
Added.
(shouldBe):
(shouldThrow):
(search):
(benign):
(shouldThrow.search):
* JSTests/stress/regexp-search-strength-reduction-lastIndex-not-writable.js:
Added.
(shouldBe):
(shouldThrow):
(stringSearch):
(symbolSearch):
(lateSearch):
(nonThrowingSearch):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::regExpLastIndexWritableWatchpointSet):
* Source/JavaScriptCore/runtime/RegExpObject.cpp:
(JSC::RegExpObject::defineOwnProperty):
Canonical link: https://commits.webkit.org/315170@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
