Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dfddac02cb487ee92e448f97775662f2e1571c2c
https://github.com/WebKit/WebKit/commit/dfddac02cb487ee92e448f97775662f2e1571c2c
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-09 (Mon, 09 Mar 2026)
Changed paths:
A JSTests/stress/math-pow-one-argument-to-number.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Log Message:
-----------
[JSC] DFG should preserve ToNumber side-effect for Math.pow with one argument
https://bugs.webkit.org/show_bug.cgi?id=309541
Reviewed by Justin Michaud.
When Math.pow(x) is called with a single argument, DFG ByteCodeParser
unconditionally folds it to a NaN constant and drops the argument
entirely. However, the runtime implementation (mathProtoFuncPow) always
calls argument(0).toNumber(), which has observable side effects:
valueOf/Symbol.toPrimitive invocations, or throwing TypeError for
Symbol/BigInt.
This causes tier-inconsistent behavior: before DFG tier-up, valueOf is
invoked on every call; after tier-up, the side effect silently
disappears.
Fix by splitting the < 3 argument check: for the 1-argument case, emit
a Phantom with NumberUse edge on the argument before returning NaN.
This forces OSR exit when a non-number is passed, falling back to
baseline where ToNumber runs correctly. This mirrors the existing
pattern in handleMinMax for Math.max(x)/Math.min(x).
Test: JSTests/stress/math-pow-one-argument-to-number.js
* JSTests/stress/math-pow-one-argument-to-number.js: Added.
(shouldBe):
(let.obj.valueOf):
(test):
(testThrow):
(let.throwObj.valueOf):
(catch):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
Canonical link: https://commits.webkit.org/308954@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
