Bug 288815

Summary: JavaScriptCore generates wrong result in type conversion.
Product: WebKit Reporter: EntryHi <entryhii>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

EntryHi
Reported 2025-02-27 23:38:08 PST
Hello, I found a bug in JSC. ==============poc.js============== var ab = new ArrayBuffer(8); var array_i = new Int32Array(ab); array_i[0] = 0 array_i[1] = -1 var array_f = new Float64Array(ab); var array_d = new Float64Array(1); function opt_store() { array_d[0] = array_f[0]; } opt_store(); opt_store(); var i32 = new Int32Array(array_d.buffer); print(i32[1]) ================================ Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0 Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1 Result of Step 1: -1 Result of Step 2: 2146959360
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-06 23:38:18 PST
<rdar://problem/146457747>
Yusuke Suzuki
Comment 2 2025-05-23 14:25:41 PDT
Fixed in bug 291362, thanks! *** This bug has been marked as a duplicate of bug 291362 ***
Note You need to log in before you can comment on or make changes to this bug.