| Summary: | BitURShift is eliminated when toString has an effect | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
==================test.js===================== function f1(o, value) { function f2() { o.x=value return 2 } let y={} y.toString = f2 y >>> 1; } noInline(f1) let obj={} for (let v25 = 0; v25 < 100; v25++) { f1(obj, v25); } print(obj.x) ============================================== Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0 obj.x should be 99, but JSC prints 1. This bug may be related to DCE and DFGMovHintRemovalPhase. I noticed JSC added a new phase named DFGMovHintRemoval, is this phase too radical for the JavaScript semantics?