[Webkit-unassigned] [Bug 246275] New: Array.prototype.IndexOf should not take fast path if the second argument is not numeric.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 10 05:01:32 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=246275
Bug ID: 246275
Summary: Array.prototype.IndexOf should not take fast path if
the second argument is not numeric.
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: entryhii at gmail.com
function func(a,c) {
a[0] = 1.2;
return a.indexOf('test', c)
}
noInline(func);
var a = [1.1, 2.2];
for (var i = 0; i < 20; i++) {
func(a, i);
}
func(a, {
valueOf: () => {
a[0] = {};
return 0;
}
});
print(a[0])
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.1
The above js scripts should print [Object], but jsc wrongly prints 1.2.
In DFGBytecodeParser, indexOf is inlined into ArrayIndexOf node instead of Call. In Fixup, ArrayIndexOf is converted to JSConstant node.
So valueOf is no longer invoked. Thus, a[0]={} is not executed.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221010/473b665f/attachment.htm>
More information about the webkit-unassigned
mailing list