Bug 309204
| Summary: | Possible JIT miscompilation with array destructuring | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Philip Chimento <philip.chimento> |
| Component: | JavaScriptCore | Assignee: | Yusuke Suzuki <ysuzuki> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | philip.chimento, syg, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Philip Chimento
Reproducer:
```js
const len = 500; // seems to happen most frequently between about 500-2000
const es = new Array(len);
const fs = new Array(len);
const as = [
['foo', [1]],
['foo', [1, 2]]
];
for (const [a, [b, c, d]] of as) {
for (const e of es) {
for (const f of fs) {}
}
}
```
This throws:
```
Exception: TypeError: undefined is not a function (near '...[b, c, d]...')
module code@/path/to/bug.mjs:8:16
```
I've minimized the reproducer script as much as I can; everything in there seems to be necessary to trigger the error.
In particular, with a `len` of slightly less than 500 or slightly more than 2000, you may need to run the script a few times before getting the error. I've been using `for i in $(seq 1 100); do echo $i; ~/.esvu/bin/jsc bug.mjs || break; done` with jsc nightly installed using esvu. With a `len` farther outside that range, the error seems to not happen at all.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Philip Chimento
Forgot to mention the most important thing! The error doesn't occur with `--useJIT=0`
Radar WebKit Bug Importer
<rdar://problem/171766191>
Yusuke Suzuki
Pull request: https://github.com/WebKit/WebKit/pull/59942
EWS
Committed 308677@main (d9b3841d9b3f): <https://commits.webkit.org/308677@main>
Reviewed commits have been landed. Closing PR #59942 and removing active labels.