Bug 245462

Summary: JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object
Product: WebKit Reporter: EntryHi <entryhii>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal    
Priority: P2    
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   

Description EntryHi 2022-09-20 23:50:56 PDT 
let counta = 0, countb = 0

function foo(arg2) {
    try {
        Number.prototype.toString.call(arg2)
        counta++
    } catch (e) {
        countb++
    }
}

for (let i = 0; i < 1000; i++) {
    foo({});
    foo(i);
}
print(counta, countb)


With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0

The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object.
Comment 1 Alexey Proskuryakov 2022-09-21 19:39:27 PDT 

*** This bug has been marked as a duplicate of bug 245463 ***