| Summary: | Inconsistent output compared with other JS engines | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sunlili |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | ashvayka, ysuzuki |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
For the reported issue, I think JSC's behavior is correct. According to https://tc39.github.io/ecma262/#sec-integerindexedelementset, which is invoked by TypedArray's [[Set]], we first perform `ToNumber(value)` at step 3 before checking length. So, v2.valueOf should be executed. And v3.y should be set. Then, I think SpiderMonkey and V8 are wrong for this code. BTW, when looking the code, I've found that JSC does not have length check on [[DefineOwnProperty]] side before performing ToNumber. I'll handle this case. (In reply to sunlili from comment #0) > However, in V8 and Firefox, output is > {} Both Chrome 85 and Firefox 79 output `{"y":"bar"}` now, just like Safari 13.1. test262 coverage: https://test262.report/browse/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js (last test case). |
Hello, The following code behaves strangely (inconsistent with other engines). v1 = new (Float64Array)(); v2 = { valueOf : function () { v3.y = "bar"; return 42; } }; v3 = v1; v3[0] = v2; print(JSON.stringify(v1)); In Safari, output is {"y":"bar"} However, in V8 and Firefox, output is {} BT group 2018.6.27