RESOLVED FIXED 263881
[JSC] BitURShift is eliminated when toString has an effect 
https://bugs.webkit.org/show_bug.cgi?id=263881
Summary [JSC] BitURShift is eliminated when toString has an effect
EntryHi
Reported 2023-10-30 05:10:16 PDT
==================test.js===================== function f1(o, value) { function f2() { o.x=value return 2 } let y={} y.toString = f2 y >>> 1; } noInline(f1) let obj={} for (let v25 = 0; v25 < 100; v25++) { f1(obj, v25); } print(obj.x) ============================================== Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0 obj.x should be 99, but JSC prints 1. This bug may be related to DCE and DFGMovHintRemovalPhase. I noticed JSC added a new phase named DFGMovHintRemoval, is this phase too radical for the JavaScript semantics?
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-11-06 04:11:14 PST
<rdar://problem/117993267>
Yusuke Suzuki
Comment 2 2025-05-23 15:33:41 PDT
Pull request: https://github.com/WebKit/WebKit/pull/45861
EWS
Comment 3 2025-05-23 19:05:15 PDT
Committed 295380@main (9126da39238b): <https://commits.webkit.org/295380@main> Reviewed commits have been landed. Closing PR #45861 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.