[Webkit-unassigned] [Bug 232753] Differential testing: miscomputation of "in" statement

Tue Nov 9 00:19:59 PST 2021

https://bugs.webkit.org/show_bug.cgi?id=232753

--- Comment #4 from Lukas Bernhard <lukas.bernhard at rub.de> ---
The minimized sample I posted earlier indeed does not reproduce; however the original finding still reproduces and I created another reproducer:

JSC on git commit: 016f88c15b9bf0ebae0090babdad6a34e783d1b5
Build options: ./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-ENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt -fuse-ld=lld'"
Command line: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js
sha256sum of sample.js: c849be88c2824d47b51ef1f2283ed4ab034dd3789b7a184bff1e008f73d1ae1c

sample.js:
```
function main() {
    let v249;

    const v178 = [];

    v179 = class V179 {
        constructor(v181,v182,v183) {
        }
    };

    const v195 = [v178,v179,1];
    const v203 = {};
    const v204 = [v179,v195];
    const v205 = v204.toLocaleString();

    for (const v223 of v205) {
        const v232 = {};
        v232[v223] = "number";

        async function v244() {
            v249 = "1" in v232;
            const v250 = 0;
        }
        const v252 = v244();
    }
    print(v249);
}
main();
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211109/1accfaa0/attachment-0001.htm>