Bug 232869

Summary: Compiler Incorrect Optimization
Product: WebKit Reporter: zhiyi <vulbugs>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: fpizlo, lukas.bernhard, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description zhiyi 2021-11-09 01:55:17 PST 
OS: ubuntu20.04
Architecture: <x64>

./jsc bug.js

expected output
3
3

actual output
3
-1


bug.js
##################################
function f() {
    let v0 = 2147483648;
    const v1 = v0--;
    const v2 = new Float32Array([111,222,333,v1]);
    const v3 = v2.indexOf(v0);
    return v3;
}
let a0 = f();
print(a0);

for (let i = 0; i < 0x1000; i++) { f(); }
let a3 = f();
print(a3);
Comment 1 Radar WebKit Bug Importer 2021-11-16 01:56:18 PST 
<rdar://problem/85449162>