Bug 257677
Summary: | Implementation error in ForStatement with LexicalDeclaration | ||
---|---|---|---|
Product: | WebKit | Reporter: | webkit |
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED DUPLICATE | ||
Severity: | Normal | CC: | ahmad.saleem792, ashvayka, mark.lam, webkit-bug-importer, ysuzuki |
Priority: | P2 | Keywords: | InRadar |
Version: | Safari 16 | ||
Hardware: | All | ||
OS: | All |
webkit
The POC
let cb;
for (let i = (cb = (() => i), 0); i<10;) {
i++;
}
console.log(cb());
In chrome(V8) and engine262 we got output "0", but WebKit(JSC) we got "1", which is unexpected and completely wrong.
The spec(https://tc39.es/ecma262/#sec-forbodyevaluation) require to call CreatePerIterationEnvironment in every loop iteration, so the i++ in the loop body cannot effect the variable captured from the LexicalDeclaration, it seems jsc reuse the env in the first iteration.
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/110238901>
Alexey Shvayka
Hello, thanks for the report & test case!
As confirmed by naive fix, it is the same issue as https://bugs.webkit.org/show_bug.cgi?id=189799.
*** This bug has been marked as a duplicate of bug 189799 ***
Alexey Shvayka
(In reply to Alexey Shvayka from comment #2)
> Hello, thanks for the report & test case!
>
> As confirmed by naive fix, it is the same issue as
> https://bugs.webkit.org/show_bug.cgi?id=189799.
>
> *** This bug has been marked as a duplicate of bug 189799 ***
We can't ship the naive fix as it bloats the bytecode size, but we are working on a better solution!