RESOLVED FIXED 229493
[JSC] Infinite loop in for...in after r280760 
https://bugs.webkit.org/show_bug.cgi?id=229493
Summary [JSC] Infinite loop in for...in after r280760
Xan Lopez
Reported 2021-08-25 04:52:27 PDT
This is at least observable in the JS LayoutTest reserved-words.js. The following fix seems to take care of it: diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index 3940a4e9afd3..113a7d9e191e 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -13440,6 +13440,7 @@ void SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode(Node* node) m_jit.or64(scratch.gpr(), resultRegs.payloadGPR()); #else m_jit.move(TrustedImm32(JSPropertyNameEnumerator::IndexedMode), resultRegs.tagGPR()); + m_jit.or32(scratch.gpr(), resultRegs.payloadGPR()); #endif jsValueResult(resultRegs, node);
Attachments
v1 (2.22 KB, patch)
2021-08-25 05:07 PDT, Xan Lopez 		no flags
DetailsFormatted DiffDiff
v2 (2.22 KB, patch)
2021-08-25 08:10 PDT, Xan Lopez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Xan Lopez
Comment 1 2021-08-25 05:07:23 PDT
Created attachment 436384 [details] v1
Xan Lopez
Comment 2 2021-08-25 08:10:22 PDT
Created attachment 436390 [details] v2
Yusuke Suzuki
Comment 3 2021-08-25 11:06:36 PDT
Comment on attachment 436390 [details] v2 r=me
EWS
Comment 4 2021-08-25 11:48:38 PDT
Committed r281571 (240935@main): <https://commits.webkit.org/240935@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436390 [details].
Radar WebKit Bug Importer
Comment 5 2021-08-25 11:49:27 PDT
<rdar://problem/82350525>
Note You need to log in before you can comment on or make changes to this bug.