Bug 233353

Summary: [JSC] Optimize Promise Error in DFG
Product: WebKit Reporter: zhiyi <vulbugs>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: vulbugs, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description zhiyi 2021-11-18 23:13:28 PST 
OS: ubuntu20.04
Architecture: <x64>

./jsc --useConcurrentJIT=false --thresholdForOptimizeAfterWarmUp=50 bug.js

expected output
undefined
undefined

actual output
undefined
NaN


bug.js
##################################
function opt() {
    const v1 = [Infinity];
    const v2 = v1[4096];
    new Promise(Promise);
    return v2;

}
print(opt());
for (let i = 0; i < 0x1000; i++) { opt(); }
print(opt());
Comment 1 Radar WebKit Bug Importer 2021-11-25 23:14:24 PST 
<rdar://problem/85760649>