253489 – op_iterator_open should take slow path when iterator is Non-Object in baselineJIT

Bug 253489 - op_iterator_open should take slow path when iterator is Non-Object in baselineJIT

Summary: op_iterator_open should take slow path when iterator is Non-Object in baselin...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-03-06 23:47 PST by EntryHi
Modified:	2023-03-14 00:48 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description EntryHi 2023-03-06 23:47:39 PST

for (let v0 = 0; v0 < 10; v0++) {
  try {
    const v1 = [129, 127];
    const v3 = Symbol.iterator;
    v1[v3] = Symbol;
    [] = v1;
    print(1)
  } catch (e10) {
   
  }
}

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0

The correct result should print nothing, but JSC print "1" in baselineJIT. The problem may be in op_iterator_open in baselineJIT. In LLInt, JSC will judge whether iterator is JSCell or JSObject. However, in baseline, JSC only judge whether iterator is JSCell, JSObect is ignored. In this way, no exception will be thrown in baselineJIT.

Comment 1 Radar WebKit Bug Importer 2023-03-14 00:48:14 PDT

<rdar://problem/106687293>