Bug 248023
| Summary: | For-of should perform toPrimitive(done) in the interpreter before checking the iteration is done. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
var it=0
var iterator_fn = new Proxy(function () {
}, {
apply() {
print('2')
return it;
}
});
var obj = new Proxy({}, {
get: function (target, name) {
it = obj;
print('1')
return iterator_fn;
}
});
for (var v of obj) {
print('3')
}
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0
According to ECMA, the correct result should be '12121', but JSC prints '121211'. I alse test the script in Safari, the result is alse '121211'. However, the result is '12121' in Google. If I set the JITPolicyScale to 0. JSC JIT will print '12121'.
The problem may be in LowLevelInterpreter64.asm. In op_iterator_next, m_done is JSValue from _llint_slow_path_iterator_next_get_done. In the scripts, m_done is a Proxy Object. This value should perform toPrimitive before btqnz, otherwise it will iterate one more time and print '1' wrongly.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/102640049>