[Webkit-unassigned] [Bug 197362] SameValueZero implementation bug

Mon Apr 29 01:41:17 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=197362

Andrea Giammarchi <andrea.giammarchi at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andrea.giammarchi at gmail.com

--- Comment #2 from Andrea Giammarchi <andrea.giammarchi at gmail.com> ---
FWIW the issue is not the constructor, rather the `.add(NaN)` followed by `.add(0/0)` or even `.add(Intinity/Infinity)`.

Coming from here https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/SetPrototype.cpp#L102 I think the issue might be in here: https://github.com/WebKit/webkit/blob/dad62415730c8df3cbbe654eb15f0585e74af04c/Source/JavaScriptCore/runtime/HashMapImpl.h#L462-L470

where I suspect `areKeysEqual(exec, key, bucket->key())` might consider the globally available `NaN` and those produced by `0/0` or `Infinity/Infinity` different.

The same applies for `Map`

```
const m = new Map;
m.set(0/0, '0/0');
m.set(NaN, 'NaN');
m.get(0/0);
m.get(NaN);
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190429/c7c6b969/attachment-0001.html>