Bug 284615
| Summary: | Baseline JIT cannot check iterator result interface correctly. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
Hello, I found a bug related to iterator in baseline JIT.
=================poc.js======================
function f44() {
return 1n;
}
const v91 = [];
class C92 {
n() {
let [] = v91;
}
}
const v96 = new C92();
const v97 = {};
v97[Symbol.iterator] = f44;
v91.__proto__ = v97;
try {
v96.n();
print(123)
} catch (e) {
print(e)
}
============================================
Reproduce bug: ./jsc -f poc.js --useConcurrentJIT=0 --jitPolicyScale=0 --useDFGJIT=0
The result of JSC is shown as below:
123
The correct result should be:
TypeError: Iterator result interface is not an object.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/141807665>
Yusuke Suzuki
Thanks! Fixed in bug 291362
*** This bug has been marked as a duplicate of bug 291362 ***