NEW244190
JSC DFG Number.prototype.toString should throw an exception when the parameter is undefined, null or true 
https://bugs.webkit.org/show_bug.cgi?id=244190
Summary JSC DFG Number.prototype.toString should throw an exception when the paramete...
EntryHi
Reported 2022-08-22 02:42:19 PDT
function foo(a) { try { print(Number.prototype.toString.call(a)) } catch (e) { print("error") } } noInline(foo); for (var i = 0; i < 200; i++) { foo(10); foo(true); //throw an exception //foo(null); // throw an exception //foo(undefined); // throw an exception } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=1 In interpreter, Number.prototype.toString throw an exception. However, in JIT, Number.prototype.toString does not throw an exception. DFG JIT uses DoubleRep node to ensure that the parameter of Number.prototype.toString is a number, if not, OSRExit should occur. However, undefined, null and true can pass the check of the DoubleRep node, no OSRExit occurs. These parameters are passed to toString, no exception is thrown.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-08-29 02:43:34 PDT
<rdar://problem/99268958>
EntryHi
Comment 2 2022-09-11 20:05:12 PDT
Hello, I am a PhD student majoring in computer security. Currently engaged in research related to JavaScript engine. I submitted 6 bugs to WebKit Bugmozilla three weeks ago. Currently only one has been confirmed to reply and commit. These bugs are very important to the results of my dissertation and whether I can graduate on time. Can I sincerely ask you to take time out of your busy schedule to confirm or reply. Thank you very much.
Sosuke Suzuki
Comment 3 2024-02-26 01:03:23 PST
Pull request: https://github.com/WebKit/WebKit/pull/25090
Note You need to log in before you can comment on or make changes to this bug.