Bug 229493 - [JSC] Infinite loop in for...in after r280760
Summary: [JSC] Infinite loop in for...in after r280760
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-08-25 04:52 PDT by Xan Lopez
Modified: 2021-08-25 11:49 PDT (History)
9 users (show)

See Also:

Attachments
v1 (2.22 KB, patch)
2021-08-25 05:07 PDT, Xan Lopez 		no flags Details | Formatted Diff | Diff
v2 (2.22 KB, patch)
2021-08-25 08:10 PDT, Xan Lopez 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Xan Lopez 2021-08-25 04:52:27 PDT 
This is at least observable in the JS LayoutTest reserved-words.js. The following fix seems to take care of it:

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index 3940a4e9afd3..113a7d9e191e 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -13440,6 +13440,7 @@ void SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode(Node* node)
         m_jit.or64(scratch.gpr(), resultRegs.payloadGPR());
 #else
         m_jit.move(TrustedImm32(JSPropertyNameEnumerator::IndexedMode), resultRegs.tagGPR());
+        m_jit.or32(scratch.gpr(), resultRegs.payloadGPR());
 #endif
 
         jsValueResult(resultRegs, node);
Comment 1 Xan Lopez 2021-08-25 05:07:23 PDT 
Created attachment 436384 [details]
v1
Comment 2 Xan Lopez 2021-08-25 08:10:22 PDT 
Created attachment 436390 [details]
v2
Comment 3 Yusuke Suzuki 2021-08-25 11:06:36 PDT 
Comment on attachment 436390 [details]
v2

r=me
Comment 4 EWS 2021-08-25 11:48:38 PDT 
Committed r281571 (240935@main): <https://commits.webkit.org/240935@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 436390 [details].
Comment 5 Radar WebKit Bug Importer 2021-08-25 11:49:27 PDT 
<rdar://problem/82350525>