When appending a string to a constructor do not modify the constructor's original toString value.

wyrichte · wyrichte · commit c97139d2fa29 · 2019-05-15T11:10:12.000-07:00
diff --git a/lib/Runtime/Math/JavascriptMath.cpp b/lib/Runtime/Math/JavascriptMath.cpp
@@ -425,9 +425,14 @@ using namespace Js;
 
         Var JavascriptMath::AddLeftDead(Var aLeft, Var aRight, ScriptContext* scriptContext, JavascriptNumber *result)
         {
+            // Conservatively assume src1 is not dead until proven otherwise.
+            bool leftIsDead = false;
+
             JIT_HELPER_REENTRANT_HEADER(Op_AddLeftDead);
             if (JavascriptOperators::GetTypeId(aLeft) == TypeIds_String)
             {
+                leftIsDead = true;
+
                 JavascriptString* leftString = UnsafeVarTo<JavascriptString>(aLeft);
                 JavascriptString* rightString;
                 TypeId rightType = JavascriptOperators::GetTypeId(aRight);
@@ -471,7 +476,7 @@ using namespace Js;
             {
                 return JavascriptNumber::ToVarMaybeInPlace(JavascriptNumber::GetValue(aLeft) + JavascriptNumber::GetValue(aRight), scriptContext, result);
             }
-            return Add_FullHelper_Wrapper(aLeft, aRight, scriptContext, result, true);
+            return Add_FullHelper_Wrapper(aLeft, aRight, scriptContext, result, leftIsDead);
             JIT_HELPER_END(Op_AddLeftDead);
         }
 
diff --git a/test/Strings/constructorConcat.js b/test/Strings/constructorConcat.js
@@ -0,0 +1,20 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+function f(arg) {
+    var i = 0;
+    while (i < 5) {
+        i++;
+        arg += "this_should_not_stay";
+    }
+}
+f("Hello");
+f(Int8Array);
+
+if (!Int8Array.toString().includes("this_should_not_stay")) {
+    WScript.Echo("Passed");
+}
+else {
+    WScript.Echo("FAILED");
+}
diff --git a/test/Strings/rlexe.xml b/test/Strings/rlexe.xml
@@ -268,4 +268,10 @@
       <compile-flags>-args summary -endargs</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>constructorConcat.js</files>
+      <compile-flags>-lic:1 -mic:1 -bgjit-</compile-flags>
+    </default>
+  </test>
 </regress-exe>

Original file line number	Diff line number	Diff line change
`@@ -425,9 +425,14 @@ using namespace Js;`
`425`	`425`
`426`	`426`	`Var JavascriptMath::AddLeftDead(Var aLeft, Var aRight, ScriptContext* scriptContext, JavascriptNumber *result)`
`427`	`427`	`{`
	`428`	`+ // Conservatively assume src1 is not dead until proven otherwise.`
	`429`	`+ bool leftIsDead = false;`
	`430`	`+`
`428`	`431`	`JIT_HELPER_REENTRANT_HEADER(Op_AddLeftDead);`
`429`	`432`	`if (JavascriptOperators::GetTypeId(aLeft) == TypeIds_String)`
`430`	`433`	`{`
	`434`	`+ leftIsDead = true;`
	`435`	`+`
`431`	`436`	`JavascriptString* leftString = UnsafeVarTo<JavascriptString>(aLeft);`
`432`	`437`	`JavascriptString* rightString;`
`433`	`438`	`TypeId rightType = JavascriptOperators::GetTypeId(aRight);`
`@@ -471,7 +476,7 @@ using namespace Js;`
`471`	`476`	`{`
`472`	`477`	`return JavascriptNumber::ToVarMaybeInPlace(JavascriptNumber::GetValue(aLeft) + JavascriptNumber::GetValue(aRight), scriptContext, result);`
`473`	`478`	`}`
`474`		`- return Add_FullHelper_Wrapper(aLeft, aRight, scriptContext, result, true);`
	`479`	`+ return Add_FullHelper_Wrapper(aLeft, aRight, scriptContext, result, leftIsDead);`
`475`	`480`	`JIT_HELPER_END(Op_AddLeftDead);`
`476`	`481`	`}`
`477`	`482`