Bug 285179

Summary:	[JSC] Retry with SlowPutArrayStorage properly
Product:	WebKit	Reporter:	EntryHi <entryhii>
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	mark.lam, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Linux

EntryHi

Reported 2024-12-26 19:29:20 PST

Hello, I found a bug in JavaScriptCore. The PoC is shown as below: ========================poc.js============ class C31 { constructor(a33) { a33[536870912] = 2; for (const v38 in a33) { print(v38); } } } Object.defineProperty(C31.__proto__, 536870912, { enumerable: true, value: {}}); new C31(C31); new C31(C31); new C31(C31); new C31(Map); ======================================== Reproduce bug: Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0 Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=1 The result of Step 1: 536870912 536870912 536870912 Exception: TypeError: Attempted to assign to readonly property. C31@poc.js:3:8 global code@poc.js:13:8 The result of Step 2: 536870912 536870912 536870912 536870912 V8 throw an exception in the first new operation which is also diffrent from that in Step 1 or Step 2.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-01-02 19:30:14 PST

<rdar://problem/142297349>

Yusuke Suzuki

Comment 2 2025-01-14 16:04:37 PST

Pull request: https://github.com/WebKit/WebKit/pull/39034

EWS

Comment 3 2025-01-14 17:27:42 PST

Committed 288905@main (5aa0914c99ba): <https://commits.webkit.org/288905@main> Reviewed commits have been landed. Closing PR #39034 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.