RESOLVED FIXED 255512
[JSC] StringConstructor constant function inlining is incorrect in case of [[Construct]] 
https://bugs.webkit.org/show_bug.cgi?id=255512
Summary [JSC] StringConstructor constant function inlining is incorrect in case of [[...
EntryHi
Reported 2023-04-17 04:56:29 PDT
********************* function f1(a2,a3) { const v5 = new String(a3); print(v5) return String; } const v8 = new Proxy(String, {"get": f1}); try { v8["split"](v8); } catch (e12) {} ********************* With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0 In LLInt(executing the above script with --jitPolicyScale=1), JSC throws an exception (symbol cannot convert into string), but in JIT, JSC doesn't throw any exception. The problem may be in Node CallStringConstructor. When the parameter is a Symbol, DFG invoke asSymbol(argument)->descriptiveString instead of throwing an exception.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-04-24 04:57:20 PDT
<rdar://problem/108448272>
Alexey Shvayka
Comment 2 2023-05-17 14:55:34 PDT
Pull request: https://github.com/WebKit/WebKit/pull/13987
EWS
Comment 3 2023-05-17 21:31:15 PDT
Committed 264191@main (4c2728c1626b): <https://commits.webkit.org/264191@main> Reviewed commits have been landed. Closing PR #13987 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.