[maglev] add missing arg type check for string.prototype.startsWith

DevSDK · V8 LUCI CQ · commit 885a1ba4f4b1 · 2025-09-01T17:38:54.000-07:00
js-call-reducer only reduces string argument[1] but maglev consumes unsupported type like regexp. hence, we should check it and stop reduce if it is not valid type. [1] https://source.chromium.org/chromium/chromium/src/+/main:v8/src/compiler/js-call-reducer.cc;l=6995?q=src%2Fcompiler%2Fjs-call-reducer.cc Bug: 442086665 Change-Id: Ifadaa7008257df3fff61e3569489fc7033171a7c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6905506 Auto-Submit: Seokho Song <seokho@chromium.org> Commit-Queue: Seokho Song <seokho@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#102173}
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -9298,9 +9298,14 @@ MaybeReduceResult MaglevGraphBuilder::TryReduceStringPrototypeCodePointAt(
 MaybeReduceResult MaglevGraphBuilder::TryReduceStringPrototypeStartsWith(
     compiler::JSFunctionRef target, CallArguments& args) {
   if (!CanSpeculateCall()) return {};
-  ValueNode* receiver = GetValueOrUndefined(args.receiver());
+
   ValueNode* search_element =
-      BuildToString(GetValueOrUndefined(args[0]), ToString::kThrowOnSymbol);
+      args[0] ? args[0] : GetRootConstant(RootIndex::kundefined_string);
+
+  ValueNode* receiver = GetValueOrUndefined(args.receiver());
+
+  if (!NodeTypeIs(GetType(search_element), NodeType::kString)) return {};
+
   ValueNode* start_arg = GetValueOrUndefined(args[1]);
   ValueNode* start =
       IsUndefinedValue(start_arg) ? GetInt32Constant(0) : start_arg;
diff --git a/test/mjsunit/maglev/regress-442086665.js b/test/mjsunit/maglev/regress-442086665.js
@@ -0,0 +1,20 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var __caught = 0;
+function foo() {
+  try {
+    "".startsWith(/a/);
+  } catch (e) {
+    __caught++;
+  }
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
+assertEquals(__caught, 2);
