Bug 255512 - [JSC] StringConstructor constant function inlining is incorrect in case of [[Construct]]
Summary: [JSC] StringConstructor constant function inlining is incorrect in case of [[...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-04-17 04:56 PDT by EntryHi
Modified: 2023-05-17 21:31 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description EntryHi 2023-04-17 04:56:29 PDT 
*********************
function f1(a2,a3) {
  const v5 = new String(a3);
  print(v5)
  return String;
}
const v8 = new Proxy(String, {"get": f1});

try {
  v8["split"](v8);
} catch (e12) {}

*********************

With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0

In LLInt(executing the above script with --jitPolicyScale=1), JSC throws an exception (symbol cannot convert into string), but in JIT, JSC doesn't throw any exception.

The problem may be in Node CallStringConstructor. When the parameter is a Symbol, DFG invoke asSymbol(argument)->descriptiveString instead of throwing an exception.
Comment 1 Radar WebKit Bug Importer 2023-04-24 04:57:20 PDT 
<rdar://problem/108448272>
Comment 2 Alexey Shvayka 2023-05-17 14:55:34 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/13987
Comment 3 EWS 2023-05-17 21:31:15 PDT 
Committed 264191@main (4c2728c1626b): <https://commits.webkit.org/264191@main>

Reviewed commits have been landed. Closing PR #13987 and removing active labels.