Bug 253634

Summary:

[JSC] Bound function optimization is observable with instanceof

Product:

WebKit

Reporter:

Jan de Mooij <jdemooij>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mark.lam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Test	none

Description Jan de Mooij 2023-03-09 00:19:31 PST

Created attachment 465371 [details]
Test

When binding an already-bound function, JSC tries to flatten this chain. This optimization is observable with `instanceof` because it gets the bound function's immediate target and does a `Symbol.hasInstance` lookup on it.

See the attached testcase. It should alert 10000 but I get 0 with Safari Technology Preview 165.

Comment 1 Radar WebKit Bug Importer 2023-03-09 06:37:30 PST

<rdar://problem/106498460>

Comment 2 Yusuke Suzuki 2023-03-10 14:57:22 PST

Pull request: https://github.com/WebKit/WebKit/pull/11385

Comment 3 Yusuke Suzuki 2023-03-13 10:22:09 PDT

https://github.com/WebKit/WebKit/commit/d1911bf073cc55fc8ca76bcee8b4783539e43c2e