function foo(a) { try { print(Number.prototype.toString.call(a)) } catch (e) { print("error") } } noInline(foo); for (var i = 0; i < 200; i++) { foo(10); foo(true); //throw an exception //foo(null); // throw an exception //foo(undefined); // throw an exception } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1 In interpreter, Number.prototype.toString throw an exception. However, in JIT, Number.prototype.toString does not throw an exception. DFG JIT uses DoubleRep node to ensure that the parameter of Number.prototype.toString is a number, if not, OSRExit should occur. However, undefined, null and true can pass the check of the DoubleRep node, no OSRExit occurs. These parameters are passed to toString, no exception is thrown.
<rdar://problem/99268958>
Hello, I am a PhD student majoring in computer security. Currently engaged in research related to JavaScript engine. I submitted 6 bugs to WebKit Bugmozilla three weeks ago. Currently only one has been confirmed to reply and commit. These bugs are very important to the results of my dissertation and whether I can graduate on time. Can I sincerely ask you to take time out of your busy schedule to confirm or reply. Thank you very much.
Pull request: https://github.com/WebKit/WebKit/pull/25090