263520 – AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inlined

NEW263520

AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inlined

https://bugs.webkit.org/show_bug.cgi?id=263520

Summary AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inl...

EntryHi

Reported 2023-10-23 05:45:16 PDT

Hello, I found a bug related to Abstract Interpreter in JSC. =================test.js================ function f0() { const v6 = arguments[-6]; print(v6) } for (let v11 = 0; v11 < 99; v11++) { f0(1); for (let v13 = 0; v13 < 100; v13++) { for (let v14 = 0; v14 < 101 ; v14++) {} } } ========================================= Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0.1 JSC should print 99 "undefined", but it prints 2 "undefined" and 97 "1"(arguments[0]) actually. I found the problem is in DFGAbstractInterpreterInlines.h when AI handles GetMyArgumentsByVal node. AI ignores the situation where the index is negative when callee is inlined and computes wrong result for GetMyArgumentsByVal.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-10-30 05:46:12 PDT

<rdar://problem/117682102>

Yusuke Suzuki

Comment 2 2025-05-23 17:34:54 PDT

Hmm, maybe no longer reproducible?

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2023-10-23 05:45 PDT

Modified

2025-05-23 17:34 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks