Bug 248023 - For-of should perform toPrimitive(done) in the interpreter before checking the iteration is done.
Summary: For-of should perform toPrimitive(done) in the interpreter before checking th...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-11-16 22:52 PST by EntryHi
Modified: 2022-11-23 22:53 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description EntryHi 2022-11-16 22:52:41 PST 
var it=0
var iterator_fn = new Proxy(function () {
}, {
  apply() {
    print('2')
    return it;
  }
});
var obj = new Proxy({}, {
  get: function (target, name) {
    it = obj;
    print('1')
    return iterator_fn;
  }
});

for (var v of obj) {
  print('3')
}

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0

According to ECMA, the correct result should be '12121', but JSC prints '121211'. I alse test the script in Safari, the result is alse '121211'. However, the result is '12121' in Google. If I set the JITPolicyScale to 0. JSC JIT will print '12121'.

The problem may be in LowLevelInterpreter64.asm. In op_iterator_next, m_done is JSValue from _llint_slow_path_iterator_next_get_done. In the scripts, m_done is a Proxy Object. This value should perform toPrimitive before btqnz, otherwise it will iterate one more time and print '1' wrongly.
Comment 1 Radar WebKit Bug Importer 2022-11-23 22:53:16 PST 
<rdar://problem/102640049>