288816 – JavaScriptCore generates incorrect results in LogicAnd and LogicOr.

NEW 288816

JavaScriptCore generates incorrect results in LogicAnd and LogicOr.

https://bugs.webkit.org/show_bug.cgi?id=288816

Summary JavaScriptCore generates incorrect results in LogicAnd and LogicOr.

EntryHi

Reported 2025-02-27 23:45:46 PST

Hello, I found a bug in JSC. ==============poc.js============== function test(a) { return a + 0x7fffffff + 1.1 & 0x7fffffff | a; } print(test(1)); ================================ Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0 Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1 Result of Step 1: 3 Result of Step 2: 1

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-03-06 23:46:18 PST

<rdar://problem/146458144>

Kirk Elliott

Comment 2 2025-07-22 10:47:50 PDT

Pull request: https://github.com/WebKit/WebKit/pull/48312

Kirk Elliott

Comment 3 2025-07-22 10:52:51 PDT

Pull request: https://github.com/dmvjs/WebKit/pull/1

Kirk Elliott

Comment 4 2025-08-08 15:02:39 PDT

Pull request: https://github.com/WebKit/WebKit/pull/49156

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2025-02-27 23:45 PST

Modified

2025-08-08 15:02 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks