| Summary: | OSR exit loop for InBounds HasIndexedProperty that exits because of holes | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | vulbugs, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Something like this is an exit loop in "func": function test1() { function func(o) { return 0 in o; } noInline(func); let o = {__proto__:[0, 1]}; o[2] = 4; for (let i = 0; i < 10000; ++i) { func(o); } assert(func(true, o)); } test1();