[webkit-changes] [WebKit/WebKit] c828d4: JSC DFG Number.prototype.toString does not throw a...

Alexey Shvayka noreply at github.com
Thu Oct 27 19:55:35 PDT 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c828d44d6aa2a3537edec55adffb06de4ee23892
      https://github.com/WebKit/WebKit/commit/c828d44d6aa2a3537edec55adffb06de4ee23892
  Author: Alexey Shvayka <shvaikalesh at gmail.com>
  Date:   2022-10-27 (Thu, 27 Oct 2022)

  Changed paths:
    A JSTests/stress/number-prototype-to-string-dfg-bad-this-value-radix-10.js
    A JSTests/stress/number-prototype-to-string-dfg-bad-this-value-radix-absent.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h

  Log Message:
  -----------
  JSC DFG Number.prototype.toString does not throw an exception when the parameter is Object
https://bugs.webkit.org/show_bug.cgi?id=245463
<rdar://problem/100494175>

Reviewed by Yusuke Suzuki.

This change aligns DFG implementations of Number.prototype.toString(), called with radix of 10
or without radix parameter, with the spec [1] by emitting NumberToStringWithValidRadixConstant
DFG node instead of ToString, so the TypeError is thrown for non-number |this| values.

In order to emit the simplest DFG node possible, and to enable future optimizations,
NumberToStringWithValidRadixConstant with radix of 10 is still converted to ToString
for numeric callees only.

[1]: https://tc39.es/ecma262/#sec-number.prototype.tostring (step 1)

* JSTests/stress/number-prototype-to-string-dfg-bad-this-value-radix-10.js: Added.
* JSTests/stress/number-prototype-to-string-dfg-bad-this-value-radix-absent.js: Added.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGNode.h:

Canonical link: https://commits.webkit.org/256086@main

More information about the webkit-changes mailing list