Bug 263881

Summary:	[JSC] BitURShift is eliminated when toString has an effect
Product:	WebKit	Reporter:	EntryHi <entryhii>
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	mark.lam, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Linux

EntryHi

Reported 2023-10-30 05:10:16 PDT

==================test.js===================== function f1(o, value) { function f2() { o.x=value return 2 } let y={} y.toString = f2 y >>> 1; } noInline(f1) let obj={} for (let v25 = 0; v25 < 100; v25++) { f1(obj, v25); } print(obj.x) ============================================== Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0 obj.x should be 99, but JSC prints 1. This bug may be related to DCE and DFGMovHintRemovalPhase. I noticed JSC added a new phase named DFGMovHintRemoval, is this phase too radical for the JavaScript semantics?

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-11-06 04:11:14 PST

<rdar://problem/117993267>

Yusuke Suzuki

Comment 2 2025-05-23 15:33:41 PDT

Pull request: https://github.com/WebKit/WebKit/pull/45861

EWS

Comment 3 2025-05-23 19:05:15 PDT

Committed 295380@main (9126da39238b): <https://commits.webkit.org/295380@main> Reviewed commits have been landed. Closing PR #45861 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.