245462 2022-09-20 23:50:56 -0700 JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object 2022-09-21 19:39:27 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build PC Linux RESOLVED DUPLICATE 245463 P2 Normal --- 1 entryhii webkit-unassigned oldest_to_newest 1900039 0 entryhii 2022-09-20 23:50:56 -0700 let counta = 0, countb = 0 function foo(arg2) { try { Number.prototype.toString.call(arg2) counta++ } catch (e) { countb++ } } for (let i = 0; i < 1000; i++) { foo({}); foo(i); } print(counta, countb) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object. 1900287 1 ap 2022-09-21 19:39:27 -0700 *** This bug has been marked as a duplicate of bug 245463 ***