Bug 230804

Summary:

The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable

Product:

WebKit

Reporter:

Lukas Bernhard <lukas.bernhard>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
patch	none
patch	none

Lukas Bernhard

Reported 2021-09-26 02:05:29 PDT

Differential testing identifies the following samples to trigger a miscomputation in FTL. Tested on 29c8d02c3b11c096cc67d89e5cfe8c16be42b3b7 (Fri Sep 24 09:39:18 2021 +0000) ./Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { let v162; const v25 = {__proto__:"name"}; for (let v113 = 0; v113 < 255; v113++) { const v141 = new Proxy(Object,v25); const v145 = v141["bind"](); // when running with FTL, the previous line raises a JS exception: // TypeError: |this| is not a function inside Function.prototype.bind // without FTL or in v8 this doesn't throw. } } main();

Attachments
patch (8.22 KB, patch) 2021-09-29 18:17 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (8.62 KB, patch) 2021-09-29 18:25 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.