239757 – Wrong JIT compilation

NEW 239757

Wrong JIT compilation

https://bugs.webkit.org/show_bug.cgi?id=239757

Summary Wrong JIT compilation

zhunkibatu

Reported 2022-04-25 22:46:43 PDT

Created attachment 458332 [details] the minimal poc The following PoC outputs differently before/after JIT compilation. function opt() { const a = [12345678901]; const b = a[12345]; const c = () => { try { throw ""; } catch(e) { ({}); } }; const d = c(); return b; } print(opt());//undefined for(var i=0;i<10000;i++){ opt(); } print(opt());//NaN

Attachments
the minimal poc (256 bytes, text/javascript) 2022-04-25 22:46 PDT, zhunkibatu	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-05-02 22:47:13 PDT

<rdar://problem/92652058>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2022-04-25 22:46 PDT

Modified

2022-05-02 22:47 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks