[Webkit-unassigned] [Bug 253634] New: Bound function optimization is observable with instanceof

Thu Mar 9 00:19:31 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=253634

            Bug ID: 253634
           Summary: Bound function optimization is observable with
                    instanceof
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jdemooij at mozilla.com

Created attachment 465371

  --> https://bugs.webkit.org/attachment.cgi?id=465371&action=review

Test

When binding an already-bound function, JSC tries to flatten this chain. This optimization is observable with `instanceof` because it gets the bound function's immediate target and does a `Symbol.hasInstance` lookup on it.

See the attached testcase. It should alert 10000 but I get 0 with Safari Technology Preview 165.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230309/9c238f48/attachment.htm>