316296 2026-06-04 01:53:03 -0700 ASSERTION FAILED: pc->opcodeID() == op_call in JavaScriptCore. 2026-06-05 09:54:01 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 entryhii syg bfulgham syg webkit-bug-importer oldest_to_newest 2217549 0 entryhii 2026-06-04 01:53:03 -0700 Hello, I found a crash in JavaScriptCore. (commit id: 51cc3feb729804866ae63510d837f4df674bbc59) poc.js: ``` function test() { var arr = [3, 4, /\u1fe8/iu]; arr.sort(function () { arr.sort(function () {});}); } for (var i = 0; i < 10000; ++i) test(); ``` Reproduce: 1. Compile JavaScriptCore in Debug mode. 2.Run args: ./jsc --useConcurrentJIT=0 poc.js Result: ASSERTION FAILED: pc->opcodeID() == op_call webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp(2851) : UGPRPair JSC::LLInt::llint_slow_path_array_sort_comparator_return(CallFrame *, EncodedJSValue) Stack trace: ``` (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff56afecc libc.so.6`__pthread_kill_implementation + 268 frame #1: 0x00007ffff565fab6 libc.so.6`raise + 22 frame #2: 0x00007ffff56497fc libc.so.6`abort + 215 frame #3: 0x0000555556ce4b88 jsc`::WTFCrashWithInfo((null)=2851, (null)="/data/wjm/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp", (null)="UGPRPair JSC::LLInt::llint_slow_path_array_sort_comparator_return(CallFrame *, EncodedJSValue)") at Assertions.h:1022:5 frame #4: 0x0000555557dd677e jsc`::llint_slow_path_array_sort_comparator_return(callFrame=0x00007fffffffc620, (null)=140737488340184) at LLIntSlowPaths.cpp:2851:5 frame #5: 0x0000555557ef62bf jsc`array_sort_comparator_return_trampoline + 51 frame #6: 0x00007fffa4e60e0b frame #7: 0x0000555557ed037d jsc`llint_call_javascript + 6 frame #8: 0x000055555852da58 jsc`JSC::(this=0x00007fffe941ee60, source=0x00007fffffffd628, (null)=0x00007fffe90a0088, thisObj=0x00007fffeb06dec8)::executeProgram(const JSC::SourceCode &, JSC::JSGlobalObject *, JSC::JSObject *) at Interpreter.cpp:1205:28 frame #9: 0x00005555587a357a jsc`evaluate(globalObject=0x00007fffe90a0088, source=0x00007fffffffd628, thisValue=JSValue @ 0x00007fffffffd520, returnedException=0x00007fffffffd648) at Completion.cpp:145:37 frame #10: 0x0000555556d880bd jsc`::runWithOptions(globalObject=0x00007fffe90a0088, options=0x0000555559b30c30, success=0x00007fffffffda9b) at jsc.cpp:3906:35 frame #11: 0x0000555556d29a5c jsc`(this=0x00007fffffffdb6b, vm=0x00007fffe9400000, globalObject=0x00007fffe90a0088, success=0x00007fffffffda9b)::operator()(JSC::VM &, GlobalObject *, bool &) const at jsc.cpp:4636:13 frame #12: 0x0000555556ceb7f8 jsc`::runJSC<(lambda at webkit/Source/JavaScriptCore/jsc.cpp:4631:9)>(options=0x0000555559b30c30, isWorker=false, func=0x00007fffffffdb6b) &) at jsc.cpp:4422:13 frame #13: 0x0000555556ce8d09 jsc`::jscmain(argc=12, argv=0x00007fffffffdcd8) at jsc.cpp:4629:18 frame #14: 0x0000555556ce8aa8 jsc`main(argc=12, argv=0x00007fffffffdcd8) at jsc.cpp:3664:15 frame #15: 0x00007ffff564a550 libc.so.6`__libc_start_call_main + 128 frame #16: 0x00007ffff564a609 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137 frame #17: 0x0000555556ce3625 jsc`_start + 37 ``` 2217550 1 webkit-bug-importer 2026-06-04 01:53:09 -0700 <rdar://problem/178704991> 2217622 2 syg 2026-06-04 10:15:06 -0700 Thank you for your bug report! This is a debug assert that needs to be broadened, and not a security bug. 2217748 3 syg 2026-06-04 15:04:34 -0700 Pull request: https://github.com/WebKit/WebKit/pull/66492 2218035 4 ews-feeder 2026-06-05 09:53:59 -0700 Committed 314643@main (e7d51d19e065): <https://commits.webkit.org/314643@main> Reviewed commits have been landed. Closing PR #66492 and removing active labels.