253489 – op_iterator_open should take slow path when iterator is Non-Object in baselineJIT

NEW253489

op_iterator_open should take slow path when iterator is Non-Object in baselineJIT

https://bugs.webkit.org/show_bug.cgi?id=253489

Summary op_iterator_open should take slow path when iterator is Non-Object in baselin...

EntryHi

Reported 2023-03-06 23:47:39 PST

for (let v0 = 0; v0 < 10; v0++) { try { const v1 = [129, 127]; const v3 = Symbol.iterator; v1[v3] = Symbol; [] = v1; print(1) } catch (e10) { } } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0 The correct result should print nothing, but JSC print "1" in baselineJIT. The problem may be in op_iterator_open in baselineJIT. In LLInt, JSC will judge whether iterator is JSCell or JSObject. However, in baseline, JSC only judge whether iterator is JSCell, JSObect is ignored. In this way, no exception will be thrown in baselineJIT.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-03-14 00:48:14 PDT

<rdar://problem/106687293>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2023-03-06 23:47 PST

Modified

2023-03-14 00:48 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks