Bug 253634 - [JSC] Bound function optimization is observable with instanceof
Summary: [JSC] Bound function optimization is observable with instanceof
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-03-09 00:19 PST by Jan de Mooij
Modified: 2023-03-13 10:22 PDT (History)
3 users (show)

See Also:

Attachments
Test (339 bytes, text/html)
2023-03-09 00:19 PST, Jan de Mooij 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan de Mooij 2023-03-09 00:19:31 PST 
Created attachment 465371 [details]
Test

When binding an already-bound function, JSC tries to flatten this chain. This optimization is observable with `instanceof` because it gets the bound function's immediate target and does a `Symbol.hasInstance` lookup on it.

See the attached testcase. It should alert 10000 but I get 0 with Safari Technology Preview 165.
Comment 1 Radar WebKit Bug Importer 2023-03-09 06:37:30 PST 
<rdar://problem/106498460>
Comment 2 Yusuke Suzuki 2023-03-10 14:57:22 PST 
Pull request: https://github.com/WebKit/WebKit/pull/11385