Bug 233353

Summary: [JSC] Optimize Promise Error in DFG
Product: WebKit Reporter: zhiyi <vulbugs>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: vulbugs, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

zhiyi
Reported 2021-11-18 23:13:28 PST
OS: ubuntu20.04 Architecture: <x64> ./jsc --useConcurrentJIT=false --thresholdForOptimizeAfterWarmUp=50 bug.js expected output undefined undefined actual output undefined NaN bug.js ################################## function opt() { const v1 = [Infinity]; const v2 = v1[4096]; new Promise(Promise); return v2; } print(opt()); for (let i = 0; i < 0x1000; i++) { opt(); } print(opt());
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-11-25 23:14:24 PST
<rdar://problem/85760649>
Note You need to log in before you can comment on or make changes to this bug.