[Webkit-unassigned] [Bug 228064] JS binary addition operator does not conform to spec

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 22 19:40:39 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=228064

--- Comment #7 from Yusuke Suzuki <ysuzuki at apple.com> ---
Ah, OK. I think I know what it is.

https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-applystringornumericbinaryoperator

The result "[object Object][object Object]" is the right value according to the spec.
This is because ToPrimitive onto object should return "[object Object]".

Let's look https://tc39.es/ecma262/multipage/abstract-operations.html#sec-toprimitive carefully. Since @@toPrimitive is not defined, we call OrdinaryToPrimitive with "default" preference.

https://tc39.es/ecma262/multipage/abstract-operations.html#sec-ordinarytoprimitive
Then, we first call object.valueOf(). But it returns an object itself.
Since it is not a primitive value, we discard this, and then call object.toString() next.
See step 5-b-ii "If Type(result) is not Object, return result.". Since valueOf returns an object, we call object.toString next (as listed in step 4-a).

https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-applystringornumericbinaryoperator
So, in step 2-c, both lprim and rprim are strings "[object Object]". Therefore, 2-c-iii will return "[object Object][object Object]".

So, JSC and V8 behaviors are correct.

Then, why SpiderMonkey returns NaN.

In JSC and V8 consoles, we evaluate the input as "expression" first instead of "statement". This is convenient because users do not need to wrap the expression with "()".
On the other hand, maybe, SpiderMonkey is evaluating it as "statement". Then, what is happening is that,

{} + {}

is evaluated as ({} + {}) in JSC and V8's console.

{} + {}

is evaluated as

{
   // Block statement
}
+{};  // + and object => NaN.
in SpiderMonkey.

So,

1. {} + {} is correctly evaluated in JSC. If it is evaluated as an expression, the result should be "[object Object][object Object]"
2. {} + {} is evaluated differently in the console in Firefox, Safari, and V8. And this is engine's preference.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210723/db1089cb/attachment.htm>

More information about the webkit-unassigned mailing list