Bug 299846

Summary: JIT Optimization bug: DFG ASSERTION FAILED: Bad data format
Product: WebKit Reporter: anbu1024
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

anbu1024
Reported 2025-09-29 19:48:53 PDT
JavascriptCore version ``` commit: 57a0f2 ``` Build commands: ``` Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-Wno-error -Wno-all -Wno-extra -O0 -lrt'" ``` Test case ```js function foo() { "use strict"; let i = 0; do { const x = []; const t = new RegExp(x, x); parseInt(t, t); i ++; } while (i <= 8); } for (let i = 0; i < 16; i++) { foo(); } ``` Result: ``` DFG ASSERTION FAILED: Bad data format WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1267) : JSC::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal(JSC::DFG::Edge, JSC::DataFormat&) [with bool strict = false; JSC::GPRReg = JSC::X86Registers::RegisterID] ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-09-29 19:51:13 PDT
<rdar://problem/161617852>
Yusuke Suzuki
Comment 2 2025-10-10 23:08:23 PDT
Thanks! This is deterministic release assert crash, so categorizing it to non-security.
Yusuke Suzuki
Comment 3 2025-10-10 23:10:34 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52164
EWS
Comment 4 2025-10-11 09:52:30 PDT
Committed 301359@main (1b8a020d3b82): <https://commits.webkit.org/301359@main> Reviewed commits have been landed. Closing PR #52164 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.