[Webkit-unassigned] [Bug 177215] New: [JSC] JSTests/stress/ftl-put-by-id-slow-exception-no-catch.js is failing due to incorrect IC

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=177215

            Bug ID: 177215
           Summary: [JSC]
                    JSTests/stress/ftl-put-by-id-slow-exception-no-catch.j
                    s is failing due to incorrect IC
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ticaiolima at gmail.com

The problem is happening when an Inline Cache is created using a Structure that is collected by GC and a further Structure with a different shape is allocated at the same address. In that case, the IC code is invalid, but the Structure comparison will succeed and then the wrong offset is being used.

Steps to reproduce:

```run-jsc --count 500 JSTests/stress/ftl-put-by-id-slow-exception-no-catch.js```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170920/8bd6ac2e/attachment.html>