| Summary: | JSC DFG Number.prototype.toString should throw an exception when the parameter is undefined, null or true | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | saam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Hello, I am a PhD student majoring in computer security. Currently engaged in research related to JavaScript engine. I submitted 6 bugs to WebKit Bugmozilla three weeks ago. Currently only one has been confirmed to reply and commit. These bugs are very important to the results of my dissertation and whether I can graduate on time. Can I sincerely ask you to take time out of your busy schedule to confirm or reply. Thank you very much. Pull request: https://github.com/WebKit/WebKit/pull/25090 |
function foo(a) { try { print(Number.prototype.toString.call(a)) } catch (e) { print("error") } } noInline(foo); for (var i = 0; i < 200; i++) { foo(10); foo(true); //throw an exception //foo(null); // throw an exception //foo(undefined); // throw an exception } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1 In interpreter, Number.prototype.toString throw an exception. However, in JIT, Number.prototype.toString does not throw an exception. DFG JIT uses DoubleRep node to ensure that the parameter of Number.prototype.toString is a number, if not, OSRExit should occur. However, undefined, null and true can pass the check of the DoubleRep node, no OSRExit occurs. These parameters are passed to toString, no exception is thrown.