var it=0 var iterator_fn = new Proxy(function () { }, { apply() { print('2') return it; } }); var obj = new Proxy({}, { get: function (target, name) { it = obj; print('1') return iterator_fn; } }); for (var v of obj) { print('3') } With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 According to ECMA, the correct result should be '12121', but JSC prints '121211'. I alse test the script in Safari, the result is alse '121211'. However, the result is '12121' in Google. If I set the JITPolicyScale to 0. JSC JIT will print '12121'. The problem may be in LowLevelInterpreter64.asm. In op_iterator_next, m_done is JSValue from _llint_slow_path_iterator_next_get_done. In the scripts, m_done is a Proxy Object. This value should perform toPrimitive before btqnz, otherwise it will iterate one more time and print '1' wrongly.