[Webkit-unassigned] [Bug 271521] New: Promise in JIT
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Mar 23 06:03:12 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=271521
Bug ID: 271521
Summary: Promise in JIT
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ujszhangc at gmail.com
The following PoC outputs differently before/after JIT compilation.
function opt(opt_param){
function v0(v1,v2) {
const v7 = [];
const v6 = JSON.stringify(v7);
const v8 = v7.__proto__;
v8[1024] = v6;
const v9 = v8.sort(); }
const v11 = new Promise(v0,Promise);
const v14 = [,686329.1200909126,,];
const v15 = v14.toLocaleString();
return v15; }
let r1 = opt();
print(r1); // [],686,329.12,
for(let i =0; i<100; i++){opt();}
let r2 = opt();
print(r2); // [],686,329.12,[]
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240323/12730600/attachment.htm>
More information about the webkit-unassigned
mailing list