Bug 244190
| Summary: | JSC DFG Number.prototype.toString should throw an exception when the parameter is undefined, null or true | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | saam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
function foo(a) {
try {
print(Number.prototype.toString.call(a))
} catch (e) {
print("error")
}
}
noInline(foo);
for (var i = 0; i < 200; i++) {
foo(10);
foo(true); //throw an exception
//foo(null); // throw an exception
//foo(undefined); // throw an exception
}
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1
In interpreter, Number.prototype.toString throw an exception. However, in JIT, Number.prototype.toString does not throw an exception.
DFG JIT uses DoubleRep node to ensure that the parameter of Number.prototype.toString is a number, if not, OSRExit should occur.
However, undefined, null and true can pass the check of the DoubleRep node, no OSRExit occurs. These parameters are passed to toString, no exception is thrown.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/99268958>
EntryHi
Hello, I am a PhD student majoring in computer security. Currently engaged in research related to JavaScript engine. I submitted 6 bugs to WebKit Bugmozilla three weeks ago. Currently only one has been confirmed to reply and commit. These bugs are very important to the results of my dissertation and whether I can graduate on time. Can I sincerely ask you to take time out of your busy schedule to confirm or reply. Thank you very much.
Sosuke Suzuki
Pull request: https://github.com/WebKit/WebKit/pull/25090