RESOLVED FIXED 245463
JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object 
https://bugs.webkit.org/show_bug.cgi?id=245463
Summary JSC DFG Number.prototype.toString does not throw an exception when the parame...
EntryHi
Reported 2022-09-20 23:52:12 PDT
let counta = 0, countb = 0 function foo(arg2) { try { Number.prototype.toString.call(arg2) counta++ } catch (e) { countb++ } } for (let i = 0; i < 1000; i++) { foo({}); foo(i); } print(counta, countb) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2022-09-21 19:39:27 PDT
*** Bug 245462 has been marked as a duplicate of this bug. ***
Radar WebKit Bug Importer
Comment 2 2022-09-27 23:53:18 PDT
<rdar://problem/100494175>
Alexey Shvayka
Comment 3 2022-10-08 10:14:57 PDT
Pull request: https://github.com/WebKit/WebKit/pull/5165
EWS
Comment 4 2022-10-27 19:55:26 PDT
Committed 256086@main (c828d44d6aa2): <https://commits.webkit.org/256086@main> Reviewed commits have been landed. Closing PR #5165 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.