Skip to content

Commit c776223

Browse files
gahaasCommit Bot
gahaas
authored and
Commit Bot
committed
[runtime] Fix flattening of ConsStrings with empty first parts.
String::SlowFlatten assumed that ConsStrings with empty first parts have flattened strings as their second part. TurboFan, however, can create ConsStrings with empty first parts and arbitrary second parts. With this CL we call String::Flatten on the second part of a ConsString if the first part is empty, but only when String::Flatten would not call String::SlowFlatten. [email protected] BUG=chromium:696651 Change-Id: I9acb681de1be695e1ec2f6f6d28b9e4dc4344e98 Reviewed-on: https://chromium-review.googlesource.com/448457 Commit-Queue: Andreas Haas <[email protected]> Reviewed-by: Jakob Kummerow <[email protected]> Cr-Commit-Position: refs/heads/master@{#43513}
1 parent 88c240b commit c776223

File tree

2 files changed

+32
-1
lines changed

2 files changed

+32
-1
lines changed

src/objects.cc

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2463,7 +2463,16 @@ Handle<String> String::SlowFlatten(Handle<ConsString> cons,
24632463
DCHECK(cons->second()->length() != 0);
24642464

24652465
// TurboFan can create cons strings with empty first parts.
2466-
if (cons->first()->length() == 0) return handle(cons->second());
2466+
while (cons->first()->length() == 0) {
2467+
// We do not want to call this function recursively. Therefore we call
2468+
// String::Flatten only in those cases where String::SlowFlatten is not
2469+
// called again.
2470+
if (cons->second()->IsConsString() && !cons->second()->IsFlat()) {
2471+
cons = handle(ConsString::cast(cons->second()));
2472+
} else {
2473+
return String::Flatten(handle(cons->second()));
2474+
}
2475+
}
24672476

24682477
DCHECK(AllowHeapAllocation::IsAllowed());
24692478
Isolate* isolate = cons->GetIsolate();

test/mjsunit/regress/regress-696651.js

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
// Copyright 2017 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --allow-natives-syntax --turbo
6+
7+
function get_a() { return "aaaaaaaaaaaaaa"; }
8+
function get_b() { return "bbbbbbbbbbbbbb"; }
9+
10+
function get_string() {
11+
return get_a() + get_b();
12+
}
13+
14+
function prefix(s) {
15+
return s + get_string();
16+
}
17+
18+
prefix("");
19+
prefix("");
20+
%OptimizeFunctionOnNextCall(prefix);
21+
var s = prefix("");
22+
assertFalse(s === "aaaaaaaaaaaaaabbbbbbbbbbbbbc");

0 commit comments

Comments
 (0)