Bug 256941 - Function.prototype.caller gives different values
Summary: Function.prototype.caller gives different values
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-05-17 19:24 PDT by YuHao Hu
Modified: 2023-05-24 19:25 PDT (History)
3 users (show)

See Also:

Attachments
poc (238 bytes, text/plain)
2023-05-17 19:24 PDT, YuHao Hu 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description YuHao Hu 2023-05-17 19:24:26 PDT 
Created attachment 466392 [details]
poc

run with:
./WebKitBuild/Debug/bin/jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 poc.js

output:
```
true false false // for loop i = 0
false true false // for loop i = 1
false false true // main
```

the opt function was called 3 times. It was called from `a.valueOf` two times, and the 1st time JSC says caller is null, while the 2nd time JSC says caller is `opt`.
Comment 1 Radar WebKit Bug Importer 2023-05-24 19:25:16 PDT 
<rdar://problem/109808960>