Differential testing identifies the following samples to trigger a miscomputation in JSC. Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000) Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { async function v23(v24) { for (let v30 = 0; v30 < 60000; v30++) { } ArrayBuffer.prototype.constructor = ArrayBuffer; } const v22 = [0, 0, 0]; const v35 = v22.filter(v23); const v37 = [0, 0, 0] const v42 = new Uint8ClampedArray(v37); const v43 = new Uint32Array(v42); // without FTL: RangeError: Length out of range of buffer print(v43.length); // prints 3 with FTL (also 3 in v8). with --useFTLJIT=true this statement is not executed due to the previous exception } main();