[Webkit-unassigned] [Bug 232753] New: Differential testing: miscomputation of "in" statement
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 5 05:08:49 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=232753
Bug ID: 232753
Summary: Differential testing: miscomputation of "in" statement
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukas.bernhard at rub.de
During differential testing of webkit I found a sample triggering a miscomputation in FTL related to evaluating the "in" statement in an async context.
The sample is invoked as:
WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js
function main() {
let v249;
let v205 = "abc".repeat(18) + "\n" +
`aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaabbbbbbbbbbbbbbbaaaaa
aa setFloat64(v190,v191,aa92) a
bbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaanaaaaaaaaaaaaaa
baaaaabbbaaaaanaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1`
for (const v223 of v205) {
const v232 = {};
v232[v223] = "n";
async function v244() {
v249 = "1" in v232;
}
const v252 = v244();
}
print(v249); // prints true in FTL (an spidermonkey), false in baseline
}
main();
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211105/2f344e28/attachment.htm>
More information about the webkit-unassigned
mailing list