RESOLVED DUPLICATE of bug 245463 245462
JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object 
https://bugs.webkit.org/show_bug.cgi?id=245462
Summary JSC DFG Number.prototype.toString does not throw an exception when the parame...
EntryHi
Reported 2022-09-20 23:50:56 PDT
let counta = 0, countb = 0 function foo(arg2) { try { Number.prototype.toString.call(arg2) counta++ } catch (e) { countb++ } } for (let i = 0; i < 1000; i++) { foo({}); foo(i); } print(counta, countb) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2022-09-21 19:39:27 PDT
*** This bug has been marked as a duplicate of bug 245463 ***
Note You need to log in before you can comment on or make changes to this bug.