[regexp] Ensure ToString(replaceValue) is called once in @@replace

@@replace should only call ToString(replaceValue) once. Prior to this
CL this was not the case when

1. the given regexp is fast
2. the replacement is not callable
3. and its string representation contains a '$'.

In such a situation we'd call ToString both in the RegExpReplace
builtin, and after bailing out again in the RegExpReplaceRT runtime
function.

The fix is to pass the result of ToString(replaceValue) to the runtime
function. ToString in RegExpReplaceRT will be a no-op since the value
is already guaranteed to be a string.

Bug: chromium:947822
Change-Id: I14b4932a5ee29e49de4c2131dc2e98b50d93da49
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1559739
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#60733}

src/builtins/builtins-regexp-gen.cc

@@ -2980,8 +2980,7 @@ TF_BUILTIN(RegExpReplace, RegExpBuiltinsAssembler) {
 
   CSA_ASSERT(this, IsFastRegExp(context, regexp));
 
-  Label checkreplacestring(this), if_iscallable(this),
-      runtime(this, Label::kDeferred);
+  Label checkreplacestring(this), if_iscallable(this);
 
   // 2. Is {replace_value} callable?
   GotoIf(TaggedIsSmi(replace_value), &checkreplacestring);
@@ -2991,8 +2990,9 @@ TF_BUILTIN(RegExpReplace, RegExpBuiltinsAssembler) {
   // 3. Does ToString({replace_value}) contain '$'?
   BIND(&checkreplacestring);
   {
-    TNode<String> const replace_string =
-        ToString_Inline(context, replace_value);
+    Label runtime(this, Label::kDeferred);
+
+    TNode<String> replace_string = ToString_Inline(context, replace_value);
 
     // ToString(replaceValue) could potentially change the shape of the RegExp
     // object. Recheck that we are still on the fast path and bail to runtime
@@ -3003,15 +3003,23 @@ TF_BUILTIN(RegExpReplace, RegExpBuiltinsAssembler) {
       BIND(&next);
     }
 
-    TNode<String> const dollar_string = HeapConstant(
+    TNode<String> dollar_string = HeapConstant(
         isolate()->factory()->LookupSingleCharacterStringFromCode('$'));
-    TNode<Smi> const dollar_ix =
+    TNode<Smi> dollar_ix =
         CAST(CallBuiltin(Builtins::kStringIndexOf, context, replace_string,
                          dollar_string, SmiZero()));
     GotoIfNot(SmiEqual(dollar_ix, SmiConstant(-1)), &runtime);
 
     Return(
         ReplaceSimpleStringFastPath(context, regexp, string, replace_string));
+
+    BIND(&runtime);
+    {
+      // Pass in replace_string (instead of replace_value) to avoid calling
+      // ToString(replace_value) twice.
+      Return(CallRuntime(Runtime::kRegExpReplaceRT, context, regexp, string,
+                         replace_string));
+    }
   }
 
   // {regexp} is unmodified and {replace_value} is callable.
@@ -3032,10 +3040,6 @@ TF_BUILTIN(RegExpReplace, RegExpBuiltinsAssembler) {
     Return(CallRuntime(Runtime::kStringReplaceNonGlobalRegExpWithFunction,
                        context, string, regexp, replace_fn));
   }
-
-  BIND(&runtime);
-  Return(CallRuntime(Runtime::kRegExpReplaceRT, context, regexp, string,
-                     replace_value));
 }
 
 class RegExpStringIteratorAssembler : public RegExpBuiltinsAssembler {

test/mjsunit/regress/regress-947822.js

@@ -0,0 +1,18 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let cnt = 0;
+const re = /x/y;
+const replacement = {
+  toString: () => {
+    cnt++;
+    if (cnt == 2) {
+      re.lastIndex = { valueOf: () => { re.x = -1073741825; return 7; }};
+    }
+    return 'y$';
+  }
+};
+
+const str = re[Symbol.replace]("x", replacement);
+assertEquals(str, "y$");