312672 2026-04-18 02:27:28 -0700 Array ToPrimitive Fast Path Ignores Object.prototype.valueOf Override 2026-05-11 14:14:03 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 parkjuny webkit-unassigned webkit-bug-importer oldest_to_newest 2201827 0 479192 parkjuny 2026-04-18 02:27:28 -0700 Created attachment 479192 poc.js ## Summary `JSObject::toPrimitive` has a fast path for arrays that calls `fastToString()` directly, bypassing `OrdinaryToPrimitive`. The guard `isToPrimitiveFastAndNonObservable()` checks four watchpoints, none of which detect reassignment of `Object.prototype.valueOf`. The bug is a runtime C++ fast-path issue, uniform across all JIT tiers. The discrepancy is between arrays with original structure (fast path taken, wrong result) and arrays with a modified prototype (fast path skipped, correct result). ## Bug ### Summary When `isToPrimitiveFastAndNonObservable()` returns true, `JSObject::toPrimitive` (JSObject.cpp:2601–2604) calls `fastToString()` and returns early, ignoring `preferredType`. Replacing `Object.prototype.valueOf` with a function that returns a primitive does not cause any JSC structure transition (it is a value-slot update on a pre-existing writable property), so none of the four watchpoints fire. The fast path then incorrectly returns a join string instead of the `valueOf` result. ### Detail **Fast path (JSObject.cpp:2596–2604):** ```cpp JSValue JSObject::toPrimitive(JSGlobalObject* globalObject, PreferredPrimitiveType preferredType) const { VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); if (isJSArray(this)) { auto* array = jsCast<JSArray*>(const_cast<JSObject*>(this)); if (array->isToPrimitiveFastAndNonObservable()) [[likely]] RELEASE_AND_RETURN(scope, array->fastToString(globalObject)); } // falls through to ordinaryToPrimitive } ``` **Guard function (JSArray.cpp:1999–2013):** ```cpp bool JSArray::isToPrimitiveFastAndNonObservable() { JSGlobalObject* globalObject = this->realm(); if (!globalObject->arrayPrototypeChainIsSane()) [[unlikely]] return false; if (!globalObject->arrayToStringWatchpointSet().isStillValid()) [[unlikely]] return false; if (!globalObject->arraySymbolToPrimitiveWatchpointSet().isStillValid()) [[unlikely]] return false; if (!globalObject->arrayJoinWatchpointSet().isStillValid()) [[unlikely]] return false; Structure* structure = this->structure(); return globalObject->isOriginalArrayStructure(structure); } ``` Why `Object.prototype.valueOf = function() { return 42; }` is not detected: 1. **`arrayPrototypeChainIsSane`** — `ObjectAdaptiveStructureWatchpoint` installed via `ObjectPropertyCondition::absenceOfIndexedProperties` (JSGlobalObject.cpp:3296). Fires only on structure transitions (property additions/deletions). Reassigning an existing writable property's value is a value-slot update with no structure transition. 2. **`arrayToStringWatchpointSet`** — Watches `Array.prototype.toString` only (JSGlobalObject.cpp:2245). 3. **`arraySymbolToPrimitiveWatchpointSet`** — Watches for absence of `Symbol.toPrimitive` on `Array.prototype` / `Object.prototype` (JSGlobalObject.cpp:2275–2276). Unrelated to `valueOf`. 4. **`arrayJoinWatchpointSet`** — Watches `Array.prototype.join` only (JSGlobalObject.cpp:2244). JSC has `m_stringValueOfWatchpointSet` for `String.prototype.valueOf` (JSGlobalObject.cpp:2251), but no equivalent for `Object.prototype.valueOf`. ### Trigger Conditions 1. `Object.prototype.valueOf` is overridden to return a primitive. 2. Array has original structure (unmodified prototype chain). 3. An operation invokes ToPrimitive on the array (e.g., `+`, `==`, `<`, `-`). ## Version ### Reproduced Version - `main` branch latest commit (2026/04/18): `a4390137a403` ## Reproduction Case ### Release Build ```bash jsc poc.js ``` Result: ``` 1,2,3 42 ``` `arr` (fast path) produces `"1,2,3"` instead of `"42"`; `slowArr` (slow path) correctly returns `"42"`. ### PoC Code ```js Object.prototype.valueOf = function() { return 42; }; // arr: original structure → isToPrimitiveFastAndNonObservable() = true → fast path var arr = [1, 2, 3]; // slowArr: modified prototype → fast path skipped → ordinaryToPrimitive (correct) var slowArr = [1, 2, 3]; slowArr.__proto__ = Object.create(Array.prototype); print("" + arr); // 1,2,3 (bug: fast path ignores valueOf, should be "42") print("" + slowArr); // 42 (correct: slow path calls valueOf first) ``` ## Suggested Patch Add a watchpoint for `Object.prototype.valueOf`, mirroring `m_stringValueOfWatchpointSet`, and check it in `isToPrimitiveFastAndNonObservable()`. ```diff diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp index 3bb3ce58fdf6..90f0a615d787 100644 --- a/Source/JavaScriptCore/runtime/JSArray.cpp +++ b/Source/JavaScriptCore/runtime/JSArray.cpp @@ -2007,6 +2007,8 @@ bool JSArray::isToPrimitiveFastAndNonObservable() return false; if (!globalObject->arrayJoinWatchpointSet().isStillValid()) [[unlikely]] return false; + if (!globalObject->objectPrototypeValueOfWatchpointSet().isStillValid()) [[unlikely]] + return false; Structure* structure = this->structure(); return globalObject->isOriginalArrayStructure(structure); diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp index 160a40e9f15f..59c57c9d3888 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp +++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp @@ -2249,6 +2249,7 @@ capitalName ## Constructor* lowerName ## Constructor = featureFlag ? capitalName installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_stringPrototype.get(), vm.propertyNames->iteratorSymbol), m_stringIteratorProtocolWatchpointSet); installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_stringPrototype.get(), vm.propertyNames->toString), m_stringToStringWatchpointSet); installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_stringPrototype.get(), vm.propertyNames->valueOf), m_stringValueOfWatchpointSet); + installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_objectPrototype.get(), vm.propertyNames->valueOf), m_objectPrototypeValueOfWatchpointSet); installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_regExpPrototype.get(), vm.propertyNames->exec), m_regExpPrimordialPropertiesWatchpointSet); installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_regExpPrototype.get(), vm.propertyNames->flags), m_regExpPrimordialPropertiesWatchpointSet); installObjectPropertyChangeAdaptiveWatchpoint(setupAdaptiveWatchpoint(this, m_regExpPrototype.get(), vm.propertyNames->dotAll), m_regExpPrimordialPropertiesWatchpointSet); diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h index 87ad406bd9a0..77c5dbba3848 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObject.h +++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h @@ -530,6 +530,7 @@ public: InlineWatchpointSet m_numberToStringWatchpointSet { IsWatched }; InlineWatchpointSet m_stringToStringWatchpointSet { IsWatched }; InlineWatchpointSet m_stringValueOfWatchpointSet { IsWatched }; + InlineWatchpointSet m_objectPrototypeValueOfWatchpointSet { IsWatched }; InlineWatchpointSet m_structureCacheClearedWatchpointSet { IsWatched }; InlineWatchpointSet m_arrayBufferSpeciesWatchpointSet { ClearWatchpoint }; InlineWatchpointSet m_sharedArrayBufferSpeciesWatchpointSet { ClearWatchpoint }; @@ -584,6 +585,7 @@ public: InlineWatchpointSet& arraySymbolToPrimitiveWatchpointSet() LIFETIME_BOUND { return m_arraySymbolToPrimitiveWatchpointSet; } InlineWatchpointSet& stringToStringWatchpointSet() LIFETIME_BOUND { return m_stringToStringWatchpointSet; } InlineWatchpointSet& stringValueOfWatchpointSet() LIFETIME_BOUND { return m_stringValueOfWatchpointSet; } + InlineWatchpointSet& objectPrototypeValueOfWatchpointSet() LIFETIME_BOUND { return m_objectPrototypeValueOfWatchpointSet; } InlineWatchpointSet& regExpPrimordialPropertiesWatchpointSet() LIFETIME_BOUND { return m_regExpPrimordialPropertiesWatchpointSet; } InlineWatchpointSet& mapSetWatchpointSet() LIFETIME_BOUND { return m_mapSetWatchpointSet; } InlineWatchpointSet& setAddWatchpointSet() LIFETIME_BOUND { return m_setAddWatchpointSet; } ``` ### Credit Information Reporter credit: Junyoung Park (@candymate) of KAIST Hacking Lab 2202033 1 webkit-bug-importer 2026-04-19 13:22:15 -0700 <rdar://problem/175122250> 2204144 2 k_tamkun 2026-04-24 08:23:25 -0700 Pull request: https://github.com/WebKit/WebKit/pull/63524 2209843 3 ews-feeder 2026-05-11 14:14:01 -0700 Committed 313028@main (0c9e1d804a0f): <https://commits.webkit.org/313028@main> Reviewed commits have been landed. Closing PR #63524 and removing active labels. 479192 2026-04-18 02:27:28 -0700 2026-04-18 02:27:28 -0700 poc.js poc.js text/javascript 481 parkjuny T2JqZWN0LnByb3RvdHlwZS52YWx1ZU9mID0gZnVuY3Rpb24oKSB7IHJldHVybiA0MjsgfTsKCi8v IGFycjogb3JpZ2luYWwgc3RydWN0dXJlIOKGkiBpc1RvUHJpbWl0aXZlRmFzdEFuZE5vbk9ic2Vy dmFibGUoKSA9IHRydWUg4oaSIGZhc3QgcGF0aAp2YXIgYXJyID0gWzEsIDIsIDNdOwovLyBzbG93 QXJyOiBtb2RpZmllZCBwcm90b3R5cGUg4oaSIGZhc3QgcGF0aCBza2lwcGVkIOKGkiBvcmRpbmFy eVRvUHJpbWl0aXZlIChjb3JyZWN0KQp2YXIgc2xvd0FyciA9IFsxLCAyLCAzXTsKc2xvd0Fyci5f X3Byb3RvX18gPSBPYmplY3QuY3JlYXRlKEFycmF5LnByb3RvdHlwZSk7CgpwcmludCgiIiArIGFy cik7ICAgICAvLyAxLDIsMyAgKGJ1ZzogZmFzdCBwYXRoIGlnbm9yZXMgdmFsdWVPZiwgc2hvdWxk IGJlICI0MiIpCnByaW50KCIiICsgc2xvd0Fycik7IC8vIDQyICAgICAoY29ycmVjdDogc2xvdyBw YXRoIGNhbGxzIHZhbHVlT2YgZmlyc3QpCg==