Closed Bug 1887329 Opened 1 year ago Closed 1 year ago

Unexpected inconsistency in JIT

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
Other Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ujszhangc, Unassigned)

Details

Steps to reproduce:

function opt(opt_param){
const v0 = [];
const v3 = [null];
const v5 = new Uint32Array(v3);
const v6 = [];
const v8 = [];

v0[2147483649] *= 3.0;
const v13 = [];
let {"proto":v14,"constructor":v15,} = v13;
const v17 = v15(257);
const v18 = v17.flat();
const v19 = [];
let {"proto":v20,"constructor":v21,} = v19;
const v22 = [];
const v23 = v20.push(v22);
const v25 = Error(Int32Array);
const v26 = v25.toLocaleString();
const v27 = v26.toLowerCase();
const v28 = 5 in v0;
return v28;
}
let r1 = opt();
print(r1); // false
for(let i =0; i<100; i++){opt();}
let r2 = opt();
print(r2); // true

Actual results:

output: false, true

Expected results:

output: false, false

The line const v23 = v20.push(v22); modifies the ArrayPrototype object, so after five calls const v28 = 5 in v0; starts to evaluate to true, because the 5 is found on the ArrayPrototype object.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.