Closed
Description
Bug was initially externally reported. LouisL identified the issue as not being a security bug, and as being one with the unsigned compare peep:
"
We emit:
s13.var = ShrU_A s12.var, s2.var #000a
s6.var = ShrU_A s4.var, s2.var #000e
ByteCodeUses s6, s13 #0012
s14.var = CmUnGt_A s12.var, s4.var #0012
And I believe we should emit:
s13.var = ShrU_A s12.var, s2.var #000a
s6.var = ShrU_A s4.var, s2.var #000e
s14.var = CmUnGt_A s12.var, s4.var #0012
ByteCodeUses s6, s13 #0012
"
Steps to reproduce:
Run the following code:
function t(f,i){
for(var j=0;i.length;++j) {
for(var k=0;i.length;++k){
try{
(f([j],[k]))
}catch(e){}
}
}
}
m=function(x,y){
(
((Math.co0>>>0)>(y>>>0))=ddd
);
};
t(m,[[]])