Bug 245463
| Summary: | JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bfulgham, mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
let counta = 0, countb = 0
function foo(arg2) {
try {
Number.prototype.toString.call(arg2)
counta++
} catch (e) {
countb++
}
}
for (let i = 0; i < 1000; i++) {
foo({});
foo(i);
}
print(counta, countb)
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0
The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
*** Bug 245462 has been marked as a duplicate of this bug. ***
Radar WebKit Bug Importer
<rdar://problem/100494175>
Alexey Shvayka
Pull request: https://github.com/WebKit/WebKit/pull/5165
EWS
Committed 256086@main (c828d44d6aa2): <https://commits.webkit.org/256086@main>
Reviewed commits have been landed. Closing PR #5165 and removing active labels.