Bug 255512
| Summary: | [JSC] StringConstructor constant function inlining is incorrect in case of [[Construct]] | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ashvayka, cdumez, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
EntryHi
*********************
function f1(a2,a3) {
const v5 = new String(a3);
print(v5)
return String;
}
const v8 = new Proxy(String, {"get": f1});
try {
v8["split"](v8);
} catch (e12) {}
*********************
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0
In LLInt(executing the above script with --jitPolicyScale=1), JSC throws an exception (symbol cannot convert into string), but in JIT, JSC doesn't throw any exception.
The problem may be in Node CallStringConstructor. When the parameter is a Symbol, DFG invoke asSymbol(argument)->descriptiveString instead of throwing an exception.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/108448272>
Alexey Shvayka
Pull request: https://github.com/WebKit/WebKit/pull/13987
EWS
Committed 264191@main (4c2728c1626b): <https://commits.webkit.org/264191@main>
Reviewed commits have been landed. Closing PR #13987 and removing active labels.