[Webkit-unassigned] [Bug 253489] New: op_iterator_open should take slow path when iterator is Non-Object in baselineJIT

Mon Mar 6 23:47:39 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=253489

            Bug ID: 253489
           Summary: op_iterator_open should take slow path when iterator
                    is Non-Object in baselineJIT
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

for (let v0 = 0; v0 < 10; v0++) {
  try {
    const v1 = [129, 127];
    const v3 = Symbol.iterator;
    v1[v3] = Symbol;
    [] = v1;
    print(1)
  } catch (e10) {

  }
}

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0

The correct result should print nothing, but JSC print "1" in baselineJIT. The problem may be in op_iterator_open in baselineJIT. In LLInt, JSC will judge whether iterator is JSCell or JSObject. However, in baseline, JSC only judge whether iterator is JSCell, JSObect is ignored. In this way, no exception will be thrown in baselineJIT.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230307/6d2e2d4d/attachment-0001.htm>