296270 2025-07-21 05:17:04 -0700 Abstract Interpreter incorrectly optimized CompareLessEq into Constant True when two oprands are undefined. 2025-07-22 12:30:50 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build PC Linux RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=296316 InRadar P2 Normal --- 1 entryhii ysuzuki syg webkit-bug-importer ysuzuki oldest_to_newest 2131557 0 entryhii 2025-07-21 05:17:04 -0700 Hello, I found a bug in JavaScriptCore (commit id: 04d2f39a0b7924afd3de78310c80fbc8b6109fd8). PoC.js: ``` function opt(start, end) { for (let j = start; j <= end; j++) { function f() { f = start; } print(j) } } for (let i = 0; i < 10; i++) { opt(opt, i); opt(); // print accidently print(i) // for debug } ``` Reproduce: 1. ./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js 2. ./jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 PoC.js Result of Step1: 0 1 2 undefined 3 undefined 4 undefined 5 undefined 6 undefined 7 undefined 8 9 Result of Step 2: 0 1 2 3 4 5 6 7 8 9 Function opt is inlined into global function in FTL. In the second opt call, CompareLessEq has two oprands, both of them are Constant undefined. Abstract Interpreter incorrectly converts CompareLessEq into Constant True in Constant Folding Optimization. Actually, ```undefined <= undefined``` should return false in JavaScript. 2131761 1 webkit-bug-importer 2025-07-21 18:29:08 -0700 <rdar://problem/156361256> 2131765 2 ysuzuki 2025-07-21 18:31:12 -0700 Pull request: https://github.com/WebKit/WebKit/pull/48360 2131788 3 ews-feeder 2025-07-21 22:30:37 -0700 Committed 297726@main (101f7c7836ea): <https://commits.webkit.org/297726@main> Reviewed commits have been landed. Closing PR #48360 and removing active labels.