Assertion failed under operationToLowerCase with a rope with zero length
https://bugs.webkit.org/show_bug.cgi?id=163314
Reviewed by Mark Lam.
JSTests:
* stress/to-lower-case-intrinsic-on-empty-rope.js: Added.
(assert):
(returnRope.helper):
(returnRope):
(lower):
Source/JavaScriptCore:
There are some ways to get JSC to create empty rope strings. ToLowerCase
inside the DFG/FTL goes to the slow path when the argument is a rope.
operationToLowerCase was calling into a WTF string function that
assumed we are passing it a this value that has non-zero length.
However, we were calling it with a string that did have zero length.
To fix this, we make operationToLowerCase return the empty JSString
if it is going to make a string with zero length.
* dfg/DFGOperations.cpp:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionIsRope):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@207377 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index c079f9a..fdf689d 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -1523,6 +1523,9 @@
const String& inputString = string->value(exec);
RETURN_IF_EXCEPTION(scope, nullptr);
+ if (!inputString.length())
+ return vm.smallStrings.emptyString();
+
String lowercasedString = inputString.is8Bit() ? inputString.convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit(failingIndex) : inputString.convertToLowercaseWithoutLocale();
if (lowercasedString.impl() == inputString.impl())
return string;
