| Summary: | [JSC] StringConstructor constant function inlining is incorrect in case of [[Construct]] | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Alexey Shvayka <ashvayka> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ashvayka, cdumez, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | All | ||
| OS: | All | ||
Pull request: https://github.com/WebKit/WebKit/pull/13987 Committed 264191@main (4c2728c1626b): <https://commits.webkit.org/264191@main> Reviewed commits have been landed. Closing PR #13987 and removing active labels. |
********************* function f1(a2,a3) { const v5 = new String(a3); print(v5) return String; } const v8 = new Proxy(String, {"get": f1}); try { v8["split"](v8); } catch (e12) {} ********************* With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0 In LLInt(executing the above script with --jitPolicyScale=1), JSC throws an exception (symbol cannot convert into string), but in JIT, JSC doesn't throw any exception. The problem may be in Node CallStringConstructor. When the parameter is a Symbol, DFG invoke asSymbol(argument)->descriptiveString instead of throwing an exception.