ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard

Published 20 hours ago verified publisher icon chakra-core

Object.defineProperty with length doesn't work correctly

Open frto027 opened this issue 3 years ago • 1 comments

This poc will output different results in the JIT compiler.

function foo(a) {
  return a.length;
}

let array = new Int32Array();

Object.defineProperty(array, "length", {
  value: 10
});

for(let i=0;i<10;i++){
  print(foo(array))
}

run with the following command

Build\VcBuild\bin\x64_debug\ch.exe test.js -bgjit- -mic:5 -off:simplejit

output

10
10
10
10
10
0
0
0
0
0

And I don't know if it's the same reason, the output of the poc below is weird. The length of a is 65535, while the loop is just repeated 152 times.

var a = new Int8Array(4);

a.__defineGetter__("length", function () {
  return 0xFFFF;
});

var mx = 0
print(a.length)
for (var i = 0; i < a.length; i++) {
  mx = i
}
print(mx)

Run with the same command as before. The output is

65535
151

frto027 avatar Jul 26 '22 14:07 frto027

There's a bad optimisation here for loops over Typed Arrays - once the loopbody is jitted it starts comparing against the original length not the redefined one.

rhuanjl avatar Sep 28 '22 20:09 rhuanjl