[Webkit-unassigned] [Bug 244183] New: In JSC DFGBytecodeParser, PowIntrinsic does not throw exception when the only parameter is a Symbol

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 22 01:14:24 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=244183

            Bug ID: 244183
           Summary: In JSC DFGBytecodeParser,  PowIntrinsic does not throw
                    exception when the only parameter is a Symbol
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

function shouldThrow(func) {
  try {
    func();
  } catch (e) {
    print("error")
  }
}
function foo(value) {
  return Math.pow(value);
}
noInline(foo);

for (var i = 0; i < 10; ++i) {
  print(foo(10))
}
shouldThrow(() => {foo(Symbol("Cocoa"))});


With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0

Pow(Symbol("Cocoa")) should throw an exception. In interpreter(executing the above script with --jitPolicyScale=1), JSC throws an exception, but in JIT, JSC doesn't throw an exception.

The problem is in the process of compiling bytecode into DFG node. In DFGBytecodeParser, Math.pow will be inlined into ArithPow node. If pow has less than 2 parameters, constantNaN will be directly introduced as the result of pow, but introducing this NaN makes JIT ignore exceptions caused by parameters.
When the parameter is Symbol, the above problem exists, and the following script will trigger the same problem.

var o = {
  toString: function () {
    return {};
  }
};

function bar(b) {
  return b
}
noInline(bar)

function foo(a) {
  try {
    print(bar(Math.pow(a)))
  } catch (e) {
    print("error")
  }
}
noInline(foo);

for (var i = 0; i < 10; i++) {
  foo({});
  foo("hello");
}
foo(o);

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220822/f5b9969e/attachment.htm>

More information about the webkit-unassigned mailing list