[Webkit-unassigned] [Bug 187092] Inconsistent output compared with other JS engines
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 10 20:44:46 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=187092
--- Comment #1 from Yusuke Suzuki <utatane.tea at gmail.com> ---
For the reported issue, I think JSC's behavior is correct.
According to https://tc39.github.io/ecma262/#sec-integerindexedelementset, which is invoked by TypedArray's [[Set]],
we first perform `ToNumber(value)` at step 3 before checking length.
So, v2.valueOf should be executed. And v3.y should be set. Then, I think SpiderMonkey and V8 are wrong for this code.
BTW, when looking the code, I've found that JSC does not have length check on [[DefineOwnProperty]] side before performing ToNumber.
I'll handle this case.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180711/c6824927/attachment.html>
More information about the webkit-unassigned
mailing list