Bug 233596

Summary: OSR exit loop for InBounds HasIndexedProperty that exits because of holes
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: vulbugs, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Saam Barati
Reported 2021-11-29 14:11:39 PST
Something like this is an exit loop in "func": function test1() { function func(o) { return 0 in o; } noInline(func); let o = {__proto__:[0, 1]}; o[2] = 4; for (let i = 0; i < 10000; ++i) { func(o); } assert(func(true, o)); } test1();
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-12-06 14:12:21 PST
<rdar://problem/86122947>
Note You need to log in before you can comment on or make changes to this bug.