[Webkit-unassigned] [Bug 271522] New: Unexpected inconsistency in JIT

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Mar 23 06:44:17 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=271522

            Bug ID: 271522
           Summary: Unexpected inconsistency in JIT
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ujszhangc at gmail.com

The following PoC outputs differently before/after JIT compilation 


function opt(){
const v2 = [null,,];
const v8 = new Proxy(v2,Proxy);
const v11 = Object.freeze;
const v12 = v11.apply(v8,Object,v8);
const v14 = Object.values(Object);
Object[v14] |= Object;
return v12; }
let r1 = opt();
print(r1); // undefined
for(let i =0; i<1000; i++){opt(); }
let r2 = opt();
print(r2); // 0

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240323/87b3bcdb/attachment.htm>


More information about the webkit-unassigned mailing list