Bug 239757 - Wrong JIT compilation
Summary: Wrong JIT compilation
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-04-25 22:46 PDT by zhunkibatu
Modified: 2022-05-02 22:47 PDT (History)
4 users (show)

See Also:

Attachments
the minimal poc (256 bytes, text/javascript)
2022-04-25 22:46 PDT, zhunkibatu 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zhunkibatu 2022-04-25 22:46:43 PDT 
Created attachment 458332 [details]
the minimal poc

The following PoC outputs differently before/after JIT compilation.

function opt() {
	const a = [12345678901];
	const b = a[12345];
	const c = () => {
    		try {
        		throw "";
    		} catch(e) {
        		({});
    		}
	};
	const d = c();
	return b;
}

print(opt());//undefined
for(var i=0;i<10000;i++){
	opt();
}
print(opt());//NaN
Comment 1 Radar WebKit Bug Importer 2022-05-02 22:47:13 PDT 
<rdar://problem/92652058>