Bug 246275
| Summary: | Array.prototype.indexOf constant-folding should account for non-numeric index | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ashvayka, mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
EntryHi
function func(a,c) {
a[0] = 1.2;
return a.indexOf('test', c)
}
noInline(func);
var a = [1.1, 2.2];
for (var i = 0; i < 20; i++) {
func(a, i);
}
func(a, {
valueOf: () => {
a[0] = {};
return 0;
}
});
print(a[0])
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.1
The above js scripts should print [Object], but jsc wrongly prints 1.2.
In DFGBytecodeParser, indexOf is inlined into ArrayIndexOf node instead of Call. In Fixup, ArrayIndexOf is converted to JSConstant node.
So valueOf is no longer invoked. Thus, a[0]={} is not executed.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/101242631>
Alexey Shvayka
Pull request: https://github.com/WebKit/WebKit/pull/6203
EWS
Committed 256590@main (77b468c0b1d1): <https://commits.webkit.org/256590@main>
Reviewed commits have been landed. Closing PR #6203 and removing active labels.