[Webkit-unassigned] [Bug 271520] New: Unexpected inconsistency after JIT
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Mar 23 05:54:59 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=271520
Bug ID: 271520
Summary: Unexpected inconsistency after JIT
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ujszhangc at gmail.com
The following PoC outputs differently before/after JIT compilation.
function opt(){
const v1 = Object.values(Object);
Object[v1] |= Object;
let v3 = new Object(v1);
const v4 = v3.sort();
const v5 = v1 >>> v4;
const v6 = --v3;
const v7 = Object(v6);
const v8 = v1.reverse();
function v9(v10,v11,v12) {
'use strict';
const v13 = [v8,Uint8Array,v10,v3,v10,v9,v3];
return v3;
}
const v14 = v9(Uint8Array,v4,Uint8Array);
return v14;
}
let r1 = opt(); //-1
print(r1);
for(let i =0; i<1000; i++){opt();}
let r2 = opt();
print(r2); //NaN
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240323/4384526e/attachment.htm>
More information about the webkit-unassigned
mailing list