255839 – For-In Iterator uses wrong length.

Bug 255839 - For-In Iterator uses wrong length.

Summary: For-In Iterator uses wrong length.

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-04-23 00:03 PDT by EntryHi
Modified:	2023-04-23 14:26 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description EntryHi 2023-04-23 00:03:30 PDT

======================test.js========================
const v0 = [1,2,3];
for (const v1 in v0) {
  print(1)
  for (let v8 = 0; v8 < 20; v8++) {}
  Object.seal(v0);
  class C19 {}
}
=====================================================
With the above script as input to JSC, run JSC with the following parameters:
./jsc test.js --useConcurrentJIT=0  --jitPolicyScale=0  
./jsc test.js --useConcurrentJIT=0  --jitPolicyScale=0.001 

The corrent result should print three "1". However, JSC print less than three "1" when jitPolicyScale is 0.
The problem may be iterator use wrong length in DFG.

Here is another example that triggers the same bug.

====================Another test.js==================
const v0 = [-2709013226, -741588015, -65535, 128, 2667997042, 65537];
for (let v3 in v0) {
  print(1)
  for (let v24 = 0; v24 < 10; v24++) {
    Object.defineProperty(v0, v24, {value: v24});
    class v12 {}
  }
}
======================================================
The parameters are the same as above.
The correct result should print six "1". However , JSC print four "1" when jitPolicyScale is 0.

Comment 1 Radar WebKit Bug Importer 2023-04-23 14:26:29 PDT

<rdar://problem/108430176>