<html>
    <head>
      <base href="https://bugs.webkit.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Differential testing: Weird behavior in FTL"
   href="https://bugs.webkit.org/show_bug.cgi?id=231321">231321</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Differential testing: Weird behavior in FTL
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>WebKit Local Build
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>PC
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>JavaScriptCore
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned@lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>lukas.bernhard@rub.de
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Differential testing identifies the following samples to trigger a miscomputation in FTL.
Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000)
Sorry I couldn't minimize the testcase further, everything I try to simplify breaks the differential behavior.
Also, the bug description is obviously meaningless due to not having a hunch regarding the root cause.

Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js

function main() {
    let v224;
    const v35 = [0, 0, {b:"AAAAA"}];

    async function v36(arr) {
        edenGC();  // removing this break differential
        for (let v198 = 0; v198 < 2; v198++) {
            const v200 = [0, 0]; 
            const v201 = ` 
                for (let v205 = 0; v205 < 60000; v205++) { }

                async function v215() { } // never called but removing breaks differential

                const v222 = {"__proto__":[[]], "a":0, "b":0};
                for (const v223 in v222) {
                    v224 = arr[v223];
                    v222.__proto__ = {};
                }
                v200;
            `;
            eval(v201); // moving code out of eval breaks differential
        }   
    }   
    v35.filter(v36);
    print(v224) // prints undefined in FTL, AAAAA without FTL (also AAAAA in v8)
}
main();</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>