Bug 229493

Summary: [JSC] Infinite loop in for...in after r280760
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, xan.lopez, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
v1
none
v2 none

Description Xan Lopez 2021-08-25 04:52:27 PDT 
This is at least observable in the JS LayoutTest reserved-words.js. The following fix seems to take care of it:

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index 3940a4e9afd3..113a7d9e191e 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -13440,6 +13440,7 @@ void SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode(Node* node)
         m_jit.or64(scratch.gpr(), resultRegs.payloadGPR());
 #else
         m_jit.move(TrustedImm32(JSPropertyNameEnumerator::IndexedMode), resultRegs.tagGPR());
+        m_jit.or32(scratch.gpr(), resultRegs.payloadGPR());
 #endif
 
         jsValueResult(resultRegs, node);
Comment 1 Xan Lopez 2021-08-25 05:07:23 PDT 
Created attachment 436384 [details]
v1
Comment 2 Xan Lopez 2021-08-25 08:10:22 PDT 
Created attachment 436390 [details]
v2
Comment 3 Yusuke Suzuki 2021-08-25 11:06:36 PDT 
Comment on attachment 436390 [details]
v2

r=me
Comment 4 EWS 2021-08-25 11:48:38 PDT 
Committed r281571 (240935@main): <https://commits.webkit.org/240935@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 436390 [details].
Comment 5 Radar WebKit Bug Importer 2021-08-25 11:49:27 PDT 
<rdar://problem/82350525>