187092 – Inconsistent output compared with other JS engines

Bug 187092 - Inconsistent output compared with other JS engines

Summary: Inconsistent output compared with other JS engines

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-06-27 06:05 PDT by sunlili
Modified:	2020-06-07 10:01 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sunlili 2018-06-27 06:05:21 PDT

Hello,
The following code behaves strangely (inconsistent with other engines).

v1 = new (Float64Array)();
v2 = {
    valueOf : function () {
        v3.y = "bar";
        return 42; }
};
v3 = v1;
v3[0] = v2;
print(JSON.stringify(v1));

In Safari, output is
{"y":"bar"}

However, in V8 and Firefox, output is
{}

BT group
2018.6.27

Comment 1 Yusuke Suzuki 2018-07-10 20:44:46 PDT

For the reported issue, I think JSC's behavior is correct.
According to https://tc39.github.io/ecma262/#sec-integerindexedelementset, which is invoked by TypedArray's [[Set]],
we first perform `ToNumber(value)` at step 3 before checking length.
So, v2.valueOf should be executed. And v3.y should be set. Then, I think SpiderMonkey and V8 are wrong for this code.

BTW, when looking the code, I've found that JSC does not have length check on [[DefineOwnProperty]] side before performing ToNumber.
I'll handle this case.

Comment 2 Alexey Shvayka 2020-06-07 10:01:52 PDT

(In reply to sunlili from comment #0)
> However, in V8 and Firefox, output is
> {}

Both Chrome 85 and Firefox 79 output `{"y":"bar"}` now, just like Safari 13.1.
test262 coverage: https://test262.report/browse/built-ins/TypedArrayConstructors/internals/Set/tonumber-value-throws.js (last test case).