Bug 256437

Summary: Iterator does not throw an exception when it is non-object in baselineJIT
Product: WebKit Reporter: vettalyray
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   

Description vettalyray 2023-05-07 18:47:17 PDT 
===========test.js===========
for (let i = 0; i < 50; i++) {
  try {
    const arr = [100, 101];
    arr[Symbol.iterator] = Symbol;
    [] = arr;
    print("hello")
  } catch (e) {}
}
=========end of test.js======
Run args:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0

JSC wrongly print "hello" in baselineJIT instead of throwing an exception.
Comment 1 Alexey Proskuryakov 2023-05-08 15:14:10 PDT 
I can reproduce on macOS (13.4 beta).
Comment 2 Radar WebKit Bug Importer 2023-05-14 18:48:18 PDT 
<rdar://problem/109332913>
Comment 3 Sosuke Suzuki 2024-06-07 12:38:25 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/29634