246275 2022-10-10 05:01:32 -0700 Array.prototype.indexOf constant-folding should account for non-numeric index 2022-11-11 15:14:39 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build All All RESOLVED FIXED InRadar P2 Normal --- 1 entryhii ashvayka ashvayka mark.lam webkit-bug-importer ysuzuki oldest_to_newest 1904465 0 entryhii 2022-10-10 05:01:32 -0700 function func(a,c) { a[0] = 1.2; return a.indexOf('test', c) } noInline(func); var a = [1.1, 2.2]; for (var i = 0; i < 20; i++) { func(a, i); } func(a, { valueOf: () => { a[0] = {}; return 0; } }); print(a[0]) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.1 The above js scripts should print [Object], but jsc wrongly prints 1.2. In DFGBytecodeParser, indexOf is inlined into ArrayIndexOf node instead of Call. In Fixup, ArrayIndexOf is converted to JSConstant node. So valueOf is no longer invoked. Thus, a[0]={} is not executed. 1906089 1 webkit-bug-importer 2022-10-17 05:02:17 -0700 <rdar://problem/101242631> 1910734 2 ashvayka 2022-11-07 03:48:19 -0800 Pull request: https://github.com/WebKit/WebKit/pull/6203 1911910 3 ews-feeder 2022-11-11 15:14:36 -0800 Committed 256590@main (77b468c0b1d1): <https://commits.webkit.org/256590@main> Reviewed commits have been landed. Closing PR #6203 and removing active labels.