🦋 Changeset detected

Latest commit: 56b6dc9

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ kdy1
❌ github-actions[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

Merging this PR will not alter performance

✅ 219 untouched benchmarks

_{Comparing claude/issue-11719-20260320-1545 (56b6dc9) with main (f21d336)}

Binary Sizes

Commit: 411d6ad

PR Review: make eat_byte unsafe to prevent UTF-8 boundary violation

Summary

This PR fixes a soundness bug (#11719) where Input::eat_byte could be called with a non-ASCII byte, splitting a multi-byte UTF-8 sequence and violating &str invariants (triggering UB under Miri). The fix makes eat_byte an unsafe fn and wraps all call sites in unsafe blocks with safety comments.

Feedback

Correctness: Looks good. The core fix is sound — all existing call sites pass ASCII byte literals (b'=', b'>', b'*', etc.), so the safety invariant holds at every call site. The safety documentation on the trait method clearly states the precondition (c <= 0x7F).

Consider adding a debug_assert!: While making the function unsafe documents the contract, adding debug_assert!(c <= 0x7F) inside eat_byte (both the trait default and the StringInput override) would catch misuse during development at zero cost in release builds. This is a common pattern for unsafe functions with numeric preconditions.

unsafe fn eat_byte(&mut self, c: u8) -> bool {
    debug_assert!(c <= 0x7F, "eat_byte called with non-ASCII byte: {:#x}", c);
    // ...
}

Alternative design consideration: Another approach would be to keep eat_byte safe but accept a newtype like AsciiByte that can only be constructed from ASCII values, making misuse a compile-time error rather than a safety contract. This would avoid spreading unsafe across ~30 call sites. However, the maintainer explicitly requested the unsafe approach in the issue, so this is just a note for future consideration.

Minor nit — comment alignment in crates/swc_ecma_parser/src/lexer/mod.rs:2122:

        self.bump(1); // first `?`
                      // Safety: b'?' and b'=' are ASCII.

The safety comment is oddly aligned as a continuation of the // first ? comment on the previous line. Should be on its own line above the if:

        self.bump(1); // first `?`
        // Safety: b'?' and b'=' are ASCII.
        if unsafe { self.input_mut().eat_byte(b'?') } {

Changeset: Marked as major for swc_common, which is correct since this is a breaking change to a public trait method signature.

Performance: CodSpeed shows a slight improvement (+2.07% on one benchmark), no regressions. The unsafe blocks don't change the generated code — the function was already doing the same unchecked operations internally.

Test coverage: The original PoC from the issue demonstrates the bug. The existing test suite passes. Since the fix is purely a signature change (moving the safety burden to callers), the existing lexer tests adequately cover the affected code paths. No new tests needed.

Verdict

LGTM with the minor suggestions above (debug_assert, comment alignment). The fix is correct, minimal, and well-documented.