RESOLVED FIXED 246275
Array.prototype.indexOf constant-folding should account for non-numeric index 
https://bugs.webkit.org/show_bug.cgi?id=246275
Summary Array.prototype.indexOf constant-folding should account for non-numeric index
EntryHi
Reported 2022-10-10 05:01:32 PDT
function func(a,c) { a[0] = 1.2; return a.indexOf('test', c) } noInline(func); var a = [1.1, 2.2]; for (var i = 0; i < 20; i++) { func(a, i); } func(a, { valueOf: () => { a[0] = {}; return 0; } }); print(a[0]) With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.1 The above js scripts should print [Object], but jsc wrongly prints 1.2. In DFGBytecodeParser, indexOf is inlined into ArrayIndexOf node instead of Call. In Fixup, ArrayIndexOf is converted to JSConstant node. So valueOf is no longer invoked. Thus, a[0]={} is not executed.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-10-17 05:02:17 PDT
<rdar://problem/101242631>
Alexey Shvayka
Comment 2 2022-11-07 03:48:19 PST
Pull request: https://github.com/WebKit/WebKit/pull/6203
EWS
Comment 3 2022-11-11 15:14:36 PST
Committed 256590@main (77b468c0b1d1): <https://commits.webkit.org/256590@main> Reviewed commits have been landed. Closing PR #6203 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.