RESOLVED FIXED309204
Possible JIT miscompilation with array destructuring 
https://bugs.webkit.org/show_bug.cgi?id=309204
Summary Possible JIT miscompilation with array destructuring
Philip Chimento
Reported 2026-03-04 16:13:49 PST
Reproducer: ```js const len = 500; // seems to happen most frequently between about 500-2000 const es = new Array(len); const fs = new Array(len); const as = [ ['foo', [1]], ['foo', [1, 2]] ]; for (const [a, [b, c, d]] of as) { for (const e of es) { for (const f of fs) {} } } ``` This throws: ``` Exception: TypeError: undefined is not a function (near '...[b, c, d]...') module code@/path/to/bug.mjs:8:16 ``` I've minimized the reproducer script as much as I can; everything in there seems to be necessary to trigger the error. In particular, with a `len` of slightly less than 500 or slightly more than 2000, you may need to run the script a few times before getting the error. I've been using `for i in $(seq 1 100); do echo $i; ~/.esvu/bin/jsc bug.mjs || break; done` with jsc nightly installed using esvu. With a `len` farther outside that range, the error seems to not happen at all.
Attachments
Add attachment proposed patch, testcase, etc.
Philip Chimento
Comment 1 2026-03-04 16:16:32 PST
Forgot to mention the most important thing! The error doesn't occur with `--useJIT=0`
Radar WebKit Bug Importer
Comment 2 2026-03-04 17:51:47 PST
<rdar://problem/171766191>
Yusuke Suzuki
Comment 3 2026-03-04 17:53:21 PST
Pull request: https://github.com/WebKit/WebKit/pull/59942
EWS
Comment 4 2026-03-04 20:39:34 PST
Committed 308677@main (d9b3841d9b3f): <https://commits.webkit.org/308677@main> Reviewed commits have been landed. Closing PR #59942 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.