path/to/jsc test.js --useConcurrentJIT=0 --forceWeakRandomSeed=1 --jitPolicyScale=0 path/to/jsc test.js --useConcurrentJIT=0 --forceWeakRandomSeed=1 --jitPolicyScale=0.1 function testClampDouble() { var values = [-255.1, -255.0, -2.1, -0, 0, 0.1, 123.4, 254.6, 255, 255.1, 255.9, 256]; var expected = []; var arr = new Uint8ClampedArray(100); for (var i = 0; i < 10; i++) { for (var j = 0; j < values.length; j++) { arr[j] = values[j]; values.filter(function () { expected[arr[j]] = 5; return false }); //length-inconsist print(expected.length) } expected.pop(); } } testClampDouble(); We used command line options above to run the script. In this PoC, the clamped array "arr" would turn double numbers in values[] to Uint8 type. However, in Low Level Interpreter, 254.6 is turned to 255 since 255 is closer, while in DFG 254.6 being transferred to 254 using truncation. FTL also have the similar problem when lowering to B3. This lead to difference of the length of "expected[]".