Bug 288816

Summary: JavaScriptCore generates incorrect results in LogicAnd and LogicOr.
Product: WebKit Reporter: EntryHi <entryhii>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: kirk, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   

EntryHi
Reported 2025-02-27 23:45:46 PST
Hello, I found a bug in JSC. ==============poc.js============== function test(a) { return a + 0x7fffffff + 1.1 & 0x7fffffff | a; } print(test(1)); ================================ Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0 Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1 Result of Step 1: 3 Result of Step 2: 1
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-06 23:46:18 PST
<rdar://problem/146458144>
Kirk Elliott
Comment 2 2025-07-22 10:47:50 PDT
Pull request: https://github.com/WebKit/WebKit/pull/48312
Kirk Elliott
Comment 3 2025-07-22 10:52:51 PDT
Pull request: https://github.com/dmvjs/WebKit/pull/1
Kirk Elliott
Comment 4 2025-08-08 15:02:39 PDT
Pull request: https://github.com/WebKit/WebKit/pull/49156
Kirk Elliott
Comment 5 2025-08-23 07:15:18 PDT
Pull request: https://github.com/WebKit/WebKit/pull/49772
Kirk Elliott
Comment 6 2025-08-23 19:10:15 PDT
sorry for all the spam, this last one is hopefully the last one.
Note You need to log in before you can comment on or make changes to this bug.