Bug 296316

Summary:	Abstract Interpreter incorrectly optimizes CompareLess into Constant False when two oprands are Symbol.
Product:	WebKit	Reporter:	EntryHi <entryhii>
Component:	JavaScriptCore	Assignee:	Sosuke Suzuki <sosuke>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	syg, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	PC
OS:	Linux
See Also:	https://bugs.webkit.org/show_bug.cgi?id=296270

EntryHi

Reported 2025-07-22 00:26:03 PDT

Hello, I found a bug in JavaScriptCore (commit id: 101f7c7836eaa3e6c56d8a6fe1d8812efbb8959f). This bug is similar to https://bugs.webkit.org/show_bug.cgi?id=296270 which has been fixed. PoC.js ``` try { const x = Symbol(); for (let i = 0; i < 70; i++) { x.__proto__; } x < x; } catch (e) { print(e) } ``` Reproduce: ./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js Expected Result: JSC should throw an exception: TypeError: Cannot convert a symbol to a number. Actual Result: JSC does not throw any exception. Abstract Interpreter incorrectly converts CompareLess into Constant False in Constant Folding Optimization.

Attachments
Add attachment proposed patch, testcase, etc.

Sosuke Suzuki

Comment 1 2025-07-27 09:46:09 PDT

Pull request: https://github.com/WebKit/WebKit/pull/48571

EWS

Comment 2 2025-07-27 19:38:50 PDT

Committed 297910@main (71cedad38d10): <https://commits.webkit.org/297910@main> Reviewed commits have been landed. Closing PR #48571 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2025-07-27 19:39:13 PDT

<rdar://problem/156876784>

Note You need to log in before you can comment on or make changes to this bug.