[Webkit-unassigned] [Bug 245462] New: JSC DFG Number.prototype.toString dose not throw an exception when the parameter is Object
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 20 23:50:56 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=245462
Bug ID: 245462
Summary: JSC DFG Number.prototype.toString dose not throw an
exception when the parameter is Object
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: entryhii at gmail.com
let counta = 0, countb = 0
function foo(arg2) {
try {
Number.prototype.toString.call(arg2)
counta++
} catch (e) {
countb++
}
}
for (let i = 0; i < 1000; i++) {
foo({});
foo(i);
}
print(counta, countb)
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0
The correct value for counta should be 500, but actually it is not. In DFGBytecodeParser, NumberProtoFuncToString is converted to ToString. Thus, it does not throw an exception for Number.prototype.toString when the parameter is Object.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220921/342c3123/attachment.htm>
More information about the webkit-unassigned
mailing list