288815 – JavaScriptCore generates wrong result in type conversion.

RESOLVED DUPLICATE of bug 291362 288815

JavaScriptCore generates wrong result in type conversion.

https://bugs.webkit.org/show_bug.cgi?id=288815

Summary JavaScriptCore generates wrong result in type conversion.

EntryHi

Reported 2025-02-27 23:38:08 PST

Hello, I found a bug in JSC. ==============poc.js============== var ab = new ArrayBuffer(8); var array_i = new Int32Array(ab); array_i[0] = 0 array_i[1] = -1 var array_f = new Float64Array(ab); var array_d = new Float64Array(1); function opt_store() { array_d[0] = array_f[0]; } opt_store(); opt_store(); var i32 = new Int32Array(array_d.buffer); print(i32[1]) ================================ Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0 Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1 Result of Step 1: -1 Result of Step 2: 2146959360

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-03-06 23:38:18 PST

<rdar://problem/146457747>

Yusuke Suzuki

Comment 2 2025-05-23 14:25:41 PDT

Fixed in bug 291362, thanks! *** This bug has been marked as a duplicate of bug 291362 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 291362

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2025-02-27 23:38 PST

Modified

2025-05-23 14:25 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks