NEW 255839
For-In Iterator uses wrong length. 
https://bugs.webkit.org/show_bug.cgi?id=255839
Summary For-In Iterator uses wrong length.
EntryHi
Reported 2023-04-23 00:03:30 PDT
======================test.js======================== const v0 = [1,2,3]; for (const v1 in v0) { print(1) for (let v8 = 0; v8 < 20; v8++) {} Object.seal(v0); class C19 {} } ===================================================== With the above script as input to JSC, run JSC with the following parameters: ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0 ./jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.001 The corrent result should print three "1". However, JSC print less than three "1" when jitPolicyScale is 0. The problem may be iterator use wrong length in DFG. Here is another example that triggers the same bug. ====================Another test.js================== const v0 = [-2709013226, -741588015, -65535, 128, 2667997042, 65537]; for (let v3 in v0) { print(1) for (let v24 = 0; v24 < 10; v24++) { Object.defineProperty(v0, v24, {value: v24}); class v12 {} } } ====================================================== The parameters are the same as above. The correct result should print six "1". However , JSC print four "1" when jitPolicyScale is 0.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-04-23 14:26:29 PDT
<rdar://problem/108430176>
Note You need to log in before you can comment on or make changes to this bug.