Bug 296270
| Summary: | Abstract Interpreter incorrectly optimized CompareLessEq into Constant True when two oprands are undefined. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Yusuke Suzuki <ysuzuki> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | syg, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=296316 | ||
EntryHi
Hello, I found a bug in JavaScriptCore (commit id: 04d2f39a0b7924afd3de78310c80fbc8b6109fd8).
PoC.js:
```
function opt(start, end) {
for (let j = start; j <= end; j++) {
function f() { f = start; }
print(j)
}
}
for (let i = 0; i < 10; i++) {
opt(opt, i);
opt(); // print accidently
print(i) // for debug
}
```
Reproduce:
1. ./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js
2. ./jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 PoC.js
Result of Step1:
0
1
2
undefined
3
undefined
4
undefined
5
undefined
6
undefined
7
undefined
8
9
Result of Step 2:
0
1
2
3
4
5
6
7
8
9
Function opt is inlined into global function in FTL.
In the second opt call, CompareLessEq has two oprands, both of them are Constant undefined.
Abstract Interpreter incorrectly converts CompareLessEq into Constant True in Constant Folding Optimization.
Actually, ```undefined <= undefined``` should return false in JavaScript.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/156361256>
Yusuke Suzuki
Pull request: https://github.com/WebKit/WebKit/pull/48360
EWS
Committed 297726@main (101f7c7836ea): <https://commits.webkit.org/297726@main>
Reviewed commits have been landed. Closing PR #48360 and removing active labels.