Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4c2728c1626b6d8e7da0e1f6776ea96909088666
https://github.com/WebKit/WebKit/commit/4c2728c1626b6d8e7da0e1f6776ea96909088666
Author: Alexey Shvayka <[email protected]>
Date: 2023-05-17 (Wed, 17 May 2023)
Changed paths:
A JSTests/stress/regress-255512.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Log Message:
-----------
[JSC] StringConstructor constant function inlining is incorrect in case of
[[Construct]]
https://bugs.webkit.org/show_bug.cgi?id=255512
<rdar://problem/108448272>
Reviewed by Yusuke Suzuki.
Before this change, StringConstructor constant function, when invoked via
[[Construct]], was inlined to
NewStringObject(CallStringConstructor(argument1))
which was incorrect given StringConstructor has special-casing for Symbol
argument [1] only when invoked
via [[Call]].
This patch replaces CallStringConstructor with ToString which throws for
symbols rather then returning
their description string.
[1] https://tc39.es/ecma262/#sec-string-constructor-string-value (step 2.a)
* JSTests/stress/regress-255512.js: Added.
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantFunction):
Canonical link: https://commits.webkit.org/264191@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
