Bug 296423
| Summary: | Dead Code Elimination eliminates ArithSub incorrectly when AritheSub may have implicit calls. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | dan.hecht, syg, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
Hello, I found a bug in JavaScriptCore (commit id: 101f7c7836eaa3e6c56d8a6fe1d8812efbb8959f).
PoC.js
```
function f1(a) {
print(a)
return a;
}
function f2(a1, a2, a3) {
try {
a2.apply(1, 256);
} catch (e) {}
a1 - a1;
try {
eval(a3.toLocaleString());
} catch (e) {}
}
const arr = [1.1, 2.2, 3.3];
arr[Symbol.toPrimitive] = f1;
f2(1, 1, Uint8Array);
f2(-9007199254740992, 1, {});
f2(arr, 1, 1);
print("end")
```
Reproduce:
./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js
Expected Result:
number
number
end
Actual Result:
end
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/157185744>
Dan Hecht
*** This bug has been marked as a duplicate of bug 305862 ***