Bug 187092
| Summary: | Inconsistent output compared with other JS engines | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sunlili |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | ashvayka, ysuzuki |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
sunlili
Hello,
The following code behaves strangely (inconsistent with other engines).
v1 = new (Float64Array)();
v2 = {
valueOf : function () {
v3.y = "bar";
return 42; }
};
v3 = v1;
v3[0] = v2;
print(JSON.stringify(v1));
In Safari, output is
{"y":"bar"}
However, in V8 and Firefox, output is
{}
BT group
2018.6.27
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Yusuke Suzuki
For the reported issue, I think JSC's behavior is correct.
According to https://tc39.github.io/ecma262/#sec-integerindexedelementset, which is invoked by TypedArray's [[Set]],
we first perform `ToNumber(value)` at step 3 before checking length.
So, v2.valueOf should be executed. And v3.y should be set. Then, I think SpiderMonkey and V8 are wrong for this code.
BTW, when looking the code, I've found that JSC does not have length check on [[DefineOwnProperty]] side before performing ToNumber.
I'll handle this case.
Alexey Shvayka
(In reply to sunlili from comment #0)
> However, in V8 and Firefox, output is
> {}
Both Chrome 85 and Firefox 79 output `{"y":"bar"}` now, just like Safari 13.1.
test262 coverage: https://test262.report/browse/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js (last test case).