284615 – Baseline JIT cannot check iterator result interface correctly.

RESOLVED DUPLICATE of bug 291362 284615

Baseline JIT cannot check iterator result interface correctly.

https://bugs.webkit.org/show_bug.cgi?id=284615

Summary Baseline JIT cannot check iterator result interface correctly.

EntryHi

Reported 2024-12-13 00:20:27 PST

Hello, I found a bug related to iterator in baseline JIT. =================poc.js====================== function f44() { return 1n; } const v91 = []; class C92 { n() { let [] = v91; } } const v96 = new C92(); const v97 = {}; v97[Symbol.iterator] = f44; v91.__proto__ = v97; try { v96.n(); print(123) } catch (e) { print(e) } ============================================ Reproduce bug: ./jsc -f poc.js --useConcurrentJIT=0 --jitPolicyScale=0 --useDFGJIT=0 The result of JSC is shown as below: 123 The correct result should be: TypeError: Iterator result interface is not an object.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-12-20 00:21:14 PST

<rdar://problem/141807665>

Yusuke Suzuki

Comment 2 2025-05-23 16:57:12 PDT

Thanks! Fixed in bug 291362 *** This bug has been marked as a duplicate of bug 291362 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 291362

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2024-12-13 00:20 PST

Modified

2025-05-23 16:57 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks