RESOLVED WONTFIX 187092
Inconsistent output compared with other JS engines 
https://bugs.webkit.org/show_bug.cgi?id=187092
Summary Inconsistent output compared with other JS engines
sunlili
Reported Wednesday, June 27, 2018 2:05:21 PM UTC
Hello, The following code behaves strangely (inconsistent with other engines). v1 = new (Float64Array)(); v2 = { valueOf : function () { v3.y = "bar"; return 42; } }; v3 = v1; v3[0] = v2; print(JSON.stringify(v1)); In Safari, output is {"y":"bar"} However, in V8 and Firefox, output is {} BT group 2018.6.27
Attachments
Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 Wednesday, July 11, 2018 4:44:46 AM UTC
For the reported issue, I think JSC's behavior is correct. According to https://tc39.github.io/ecma262/#sec-integerindexedelementset, which is invoked by TypedArray's [[Set]], we first perform `ToNumber(value)` at step 3 before checking length. So, v2.valueOf should be executed. And v3.y should be set. Then, I think SpiderMonkey and V8 are wrong for this code. BTW, when looking the code, I've found that JSC does not have length check on [[DefineOwnProperty]] side before performing ToNumber. I'll handle this case.
Alexey Shvayka
Comment 2 Sunday, June 7, 2020 6:01:52 PM UTC
(In reply to sunlili from comment #0) > However, in V8 and Firefox, output is > {} Both Chrome 85 and Firefox 79 output `{"y":"bar"}` now, just like Safari 13.1. test262 coverage: https://test262.report/browse/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js (last test case).
Note You need to log in before you can comment on or make changes to this bug.