[Webkit-unassigned] [Bug 255839] New: For-In Iterator uses wrong length.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Apr 23 00:03:30 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=255839
Bug ID: 255839
Summary: For-In Iterator uses wrong length.
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: entryhii at gmail.com
======================test.js========================
const v0 = [1,2,3];
for (const v1 in v0) {
print(1)
for (let v8 = 0; v8 < 20; v8++) {}
Object.seal(v0);
class C19 {}
}
=====================================================
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0
./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.001
The corrent result should print three "1". However, JSC print less than three "1" when jitPolicyScale is 0.
The problem may be iterator use wrong length in DFG.
Here is another example that triggers the same bug.
====================Another test.js==================
const v0 = [-2709013226, -741588015, -65535, 128, 2667997042, 65537];
for (let v3 in v0) {
print(1)
for (let v24 = 0; v24 < 10; v24++) {
Object.defineProperty(v0, v24, {value: v24});
class v12 {}
}
}
======================================================
The parameters are the same as above.
The correct result should print six "1". However , JSC print four "1" when jitPolicyScale is 0.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230423/52d97e74/attachment-0001.htm>
More information about the webkit-unassigned
mailing list