[string] Remove invalid optimization in MaybeCallFunctionAtSymbol

The assumption behind this optimization was invalid. Even if the string's prototype is unchanged, the symbol could exist somewhere further up the prototype chain. GetProperty has been sped up significantly so it might be fine to just skip this fast path. An alternative would be to use a protector cell. Bug: v8:8357 Change-Id: Ia577107a58157350eb15780c02aa63d77e600637 Reviewed-on: https://chromium-review.googlesource.com/c/1301498 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#57038}
2018-10-26 15:58:40 +02:00 · 2018-10-26 15:58:40 +02:00 · 6f08b6471f
commit 6f08b6471f
parent 3421ad20d8
2 changed files with 32 additions and 24 deletions
--- a/src/builtins/builtins-string-gen.cc
+++ b/src/builtins/builtins-string-gen.cc
@ -1064,29 +1064,6 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
  // Smis definitely don't have an attached symbol.
  GotoIf(TaggedIsSmi(object), &out);

-  Node* const object_map = LoadMap(object);
-
-  // Skip the slow lookup for Strings.
-  {
-    Label next(this);
-
-    GotoIfNot(IsStringInstanceType(LoadMapInstanceType(object_map)), &next);
-
-    Node* const native_context = LoadNativeContext(context);
-    Node* const initial_proto_initial_map = LoadContextElement(
-        native_context, Context::STRING_FUNCTION_PROTOTYPE_MAP_INDEX);
-
-    Node* const string_fun =
-        LoadContextElement(native_context, Context::STRING_FUNCTION_INDEX);
-    Node* const initial_map =
-        LoadObjectField(string_fun, JSFunction::kPrototypeOrInitialMapOffset);
-    Node* const proto_map = LoadMap(LoadMapPrototype(initial_map));
-
-    Branch(WordEqual(proto_map, initial_proto_initial_map), &out, &next);
-
-    BIND(&next);
-  }
-
  // Take the fast path for RegExps.
  // There's two conditions: {object} needs to be a fast regexp, and
  // {maybe_string} must be a string (we can't call ToString on the fast path
@ -1098,7 +1075,7 @@ void StringBuiltinsAssembler::MaybeCallFunctionAtSymbol(
    GotoIfNot(IsString(maybe_string), &slow_lookup);

    RegExpBuiltinsAssembler regexp_asm(state());
-    regexp_asm.BranchIfFastRegExp(context, object, object_map, &stub_call,
+    regexp_asm.BranchIfFastRegExp(context, object, LoadMap(object), &stub_call,
                                  &slow_lookup);

    BIND(&stub_call);
--- a/test/mjsunit/regress/regress-v8-8357.js
+++ b/test/mjsunit/regress/regress-v8-8357.js
@ -0,0 +1,31 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const s = "Umbridge has been reading your mail, Harry."
+
+{
+  let monkey_called = false;
+  s.__proto__.__proto__[Symbol.replace] =
+    () => { monkey_called = true; };
+  s.replace(s);
+  assertTrue(monkey_called);
+}
+
+{
+  let monkey_called = false;
+  s.__proto__.__proto__[Symbol.search] =
+    () => { monkey_called = true; };
+  s.search(s);
+  assertTrue(monkey_called);
+}
+
+{
+  let monkey_called = false;
+  s.__proto__.__proto__[Symbol.match] =
+    () => { monkey_called = true; };
+  s.match(s);
+  assertTrue(monkey_called);
+}