[Webkit-unassigned] [Bug 279570] New: Possible JIT bug in Set constructor or iterator (> 10, 000 iterations only with JIT enabled)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 11 19:39:16 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=279570
Bug ID: 279570
Summary: Possible JIT bug in Set constructor or iterator (>
10,000 iterations only with JIT enabled)
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jarred at jarredsumner.com
Code:
```
class Queue {
_head;
_tail;
_length;
constructor(items) {
this._head = null;
this._tail = null;
this._length = 0;
if (items) {
for (const item of items) {
this.enqueue(item);
}
}
}
enqueue(item) {
const entry = {
next: null,
value: item,
};
if (this._tail) {
this._tail.next = entry;
this._tail = entry;
} else {
this._head = entry;
this._tail = entry;
}
this._length++;
}
dequeue() {
const entry = this._head;
if (entry) {
this._head = entry.next;
this._length--;
if (this._head === null) {
this._tail = null;
}
return entry.value;
} else {
return null;
}
}
}
for (let i = 0; i < 1e5; i++) {
const queue = new Queue(new Set(["foo", "bar", "baz"]));
if (queue.dequeue() !== "foo") {
throw new Error("Expected foo");
}
if (queue.dequeue() !== "bar") {
throw new Error("Expected bar");
}
if (queue.dequeue() !== "baz") {
throw new Error("Expected baz");
}
}
```
- When the iteration count is changed from `1e5` to `1e3`, it doesn't throw.
- When the JIT is disabled, it doesn't throw
- It doesn't throw in Node
- It throws in `jsc` and `bun`
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240912/86947ba0/attachment.htm>
More information about the webkit-unassigned
mailing list