Fix unsafe lowering of fast path for String.charAt: we optimistically load a cached value into the result operand. But if the cached value is null, we'll have to call a helper to complete the operation, and if the result operand and string source have the same symbol, then we have overwritten the string we pass to the helper with null. Use a temp in such a case and copy it to the result operand only if it is non-null.

pleath · pleath · commit 996d35a01f3b · 2016-09-09T18:32:00.000-07:00
diff --git a/lib/Backend/LowerMDShared.cpp b/lib/Backend/LowerMDShared.cpp
@@ -5700,6 +5700,15 @@ bool LowererMD::GenerateFastCharAt(Js::BuiltinFunction index, IR::Opnd *dst, IR:
     insertInstr->InsertBefore(instr);
     if (index == Js::BuiltinFunction::String_CharAt)
     {
+        IR::RegOpnd *resultOpnd;
+        if (dst->IsEqual(srcStr))
+        {
+            resultOpnd = IR::RegOpnd::New(TyVar, this->m_func);
+        }
+        else
+        {
+            resultOpnd = dst;
+        }
         this->m_lowerer->GenerateGetSingleCharString(charReg, dst, labelHelper, doneLabel, insertInstr, false);
     }
     else
diff --git a/lib/Backend/arm/LowerMD.cpp b/lib/Backend/arm/LowerMD.cpp
@@ -6852,6 +6852,15 @@ bool LowererMD::GenerateFastCharAt(Js::BuiltinFunction index, IR::Opnd *dst, IR:
 
     if (index == Js::BuiltinFunction::String_CharAt)
     {
+        IR::RegOpnd *resultOpnd;
+        if (dst->IsEqual(srcStr))
+        {
+            resultOpnd = IR::RegOpnd::New(TyVar, this->m_func);
+        }
+        else
+        {
+            resultOpnd = dst;
+        }
         this->m_lowerer->GenerateGetSingleCharString(charResult, dst, labelHelper, labelDone, insertInstr, false);
     }
     else
