| Summary: | The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Lukas Bernhard <lukas.bernhard> | ||||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||||
| Priority: | P2 | Keywords: | InRadar | ||||||
| Version: | WebKit Local Build | ||||||||
| Hardware: | PC | ||||||||
| OS: | Linux | ||||||||
| Attachments: |
|
||||||||
*** Bug 231002 has been marked as a duplicate of this bug. *** Created attachment 439687 [details]
patch
Created attachment 439689 [details]
patch
Comment on attachment 439689 [details]
patch
r=me
Committed r283332 (242353@main): <https://commits.webkit.org/242353@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439689 [details]. |
Differential testing identifies the following samples to trigger a miscomputation in FTL. Tested on 29c8d02c3b11c096cc67d89e5cfe8c16be42b3b7 (Fri Sep 24 09:39:18 2021 +0000) ./Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { let v162; const v25 = {__proto__:"name"}; for (let v113 = 0; v113 < 255; v113++) { const v141 = new Proxy(Object,v25); const v145 = v141["bind"](); // when running with FTL, the previous line raises a JS exception: // TypeError: |this| is not a function inside Function.prototype.bind // without FTL or in v8 this doesn't throw. } } main();