[Webkit-unassigned] [Bug 180190] New: [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 30 05:15:08 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=180190
Bug ID: 180190
Summary: [DFG][FTL] operationHasIndexedProperty does not
consider negative int32_t
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: utatane.tea at gmail.com
Reported by @azu_re. https://twitter.com/azu_re/status/936187554235170816
var k = -1; // k >= 0 is no problem, k < 0 is problem
var o = {};
o[k] = true;
function f() {
// `(k + "") in o` is no problem
if (k in o) {
return;
}
// `k in o` must be true, but Safari 11 reach here
throw new Error("Never reach");
}
noInline(f);
var i = 0;
try {
for (i = 0; i < 100000; i++) {
f();
}
} catch (e) {
// Reach here is problem
// Safari on iOS 11.1.2
// i: 5000~20000
// Safari 11.0.1 (12604.3.5.1.1) on mac sierra
// i: 1000~5000
print(e.message + " : " + JSON.stringify({
"i": i,
"k in o": (k in o),
"(''+k) in o": (('' + k) in o),
"o.hasOwnProperty(k)": o.hasOwnProperty(k)
}, null, 2));
}
print("Done");
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171130/3fc258be/attachment.html>
More information about the webkit-unassigned
mailing list