[Webkit-unassigned] [Bug 285178] New: MapIteratorNext return wrong result in JavaScriptCore FTL JIT.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Dec 26 19:07:08 PST 2024
https://bugs.webkit.org/show_bug.cgi?id=285178
Bug ID: 285178
Summary: MapIteratorNext return wrong result in JavaScriptCore
FTL JIT.
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: entryhii at gmail.com
Hello, I found an interesting bug related to Map.
The PoC is shown as below:
=========================poc.js=======================
for (let i = 0; i < 100; i++) {
const v15 = new Map();
let v16 = v15.entries();
v15.set('1', '11');
const t7 = v16.next();
print(t7.value)
}
====================================================
Reproduce bug: ./jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 -f poc.js
In Interperter, JSC print "1,11", but in FTL JIT, JSC print "undefined".
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241227/e2556e7c/attachment.htm>
More information about the webkit-unassigned
mailing list