Bug 253634

Summary:

[JSC] Bound function optimization is observable with instanceof

Product:

WebKit

Reporter:

Jan de Mooij <jdemooij>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mark.lam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Test	none

Jan de Mooij

Reported 2023-03-09 00:19:31 PST

Created attachment 465371 [details] Test When binding an already-bound function, JSC tries to flatten this chain. This optimization is observable with `instanceof` because it gets the bound function's immediate target and does a `Symbol.hasInstance` lookup on it. See the attached testcase. It should alert 10000 but I get 0 with Safari Technology Preview 165.

Attachments
Test (339 bytes, text/html) 2023-03-09 00:19 PST, Jan de Mooij	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-03-09 06:37:30 PST

<rdar://problem/106498460>

Yusuke Suzuki

Comment 2 2023-03-10 14:57:22 PST

Pull request: https://github.com/WebKit/WebKit/pull/11385

Yusuke Suzuki

Comment 3 2023-03-13 10:22:09 PDT

https://github.com/WebKit/WebKit/commit/d1911bf073cc55fc8ca76bcee8b4783539e43c2e

Note You need to log in before you can comment on or make changes to this bug.