[webkit-changes] [WebKit/WebKit] 4c2728: [JSC] StringConstructor constant function inlining...
Commit Queue
noreply at github.com
Wed May 17 21:31:24 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4c2728c1626b6d8e7da0e1f6776ea96909088666
https://github.com/WebKit/WebKit/commit/4c2728c1626b6d8e7da0e1f6776ea96909088666
Author: Alexey Shvayka <ashvayka at apple.com>
Date: 2023-05-17 (Wed, 17 May 2023)
Changed paths:
A JSTests/stress/regress-255512.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Log Message:
-----------
[JSC] StringConstructor constant function inlining is incorrect in case of [[Construct]]
https://bugs.webkit.org/show_bug.cgi?id=255512
<rdar://problem/108448272>
Reviewed by Yusuke Suzuki.
Before this change, StringConstructor constant function, when invoked via [[Construct]], was inlined to
NewStringObject(CallStringConstructor(argument1))
which was incorrect given StringConstructor has special-casing for Symbol argument [1] only when invoked
via [[Call]].
This patch replaces CallStringConstructor with ToString which throws for symbols rather then returning
their description string.
[1] https://tc39.es/ecma262/#sec-string-constructor-string-value (step 2.a)
* JSTests/stress/regress-255512.js: Added.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantFunction):
Canonical link: https://commits.webkit.org/264191@main
More information about the webkit-changes
mailing list