Bug 245463 - JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object
Summary: JSC DFG Number.prototype.toString does not throw an exception when the parame...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
: 245462 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-09-20 23:52 PDT by EntryHi
Modified: 2022-10-27 19:55 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description EntryHi 2022-09-20 23:52:12 PDT 
let counta = 0, countb = 0

function foo(arg2) {
    try {
        Number.prototype.toString.call(arg2)
        counta++
    } catch (e) {
        countb++
    }
}

for (let i = 0; i < 1000; i++) {
    foo({});
    foo(i);
}
print(counta, countb)


With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0

The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object.
Comment 1 Alexey Proskuryakov 2022-09-21 19:39:27 PDT 
*** Bug 245462 has been marked as a duplicate of this bug. ***
Comment 2 Radar WebKit Bug Importer 2022-09-27 23:53:18 PDT 
<rdar://problem/100494175>
Comment 3 Alexey Shvayka 2022-10-08 10:14:57 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/5165
Comment 4 EWS 2022-10-27 19:55:26 PDT 
Committed 256086@main (c828d44d6aa2): <https://commits.webkit.org/256086@main>

Reviewed commits have been landed. Closing PR #5165 and removing active labels.