291356 – Negative zero in fiatInt52 makes JavaScriptCore crash.

RESOLVED DUPLICATE of bug 292197291356

Negative zero in fiatInt52 makes JavaScriptCore crash.

https://bugs.webkit.org/show_bug.cgi?id=291356

Summary Negative zero in fiatInt52 makes JavaScriptCore crash.

EntryHi

Reported 2025-04-10 02:58:50 PDT

Hello, I found a bug in JavaScriptCore. poc.js ``` for (let v0 = 0; v0 < 100; v0++) { fiatInt52(-0); for (let v4 = 0; v4 < 100; v4++) {} } ``` Reproduce steps: 1. Compiler JSC in Debug mode or Release mode; (commit id: 25d80dcb4ad37d0780f9a88f05c01de0a1935c04) 2. Run: ./jsc poc.js --useConcurrentJIT=0 Result: Trace/breakpoint trap (core dumped) JavaScriptCore crashed in the JITTed code.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-04-17 02:59:15 PDT

<rdar://problem/149464800>

Yusuke Suzuki

Comment 2 2025-05-23 14:21:35 PDT

Looks like it is fixed via bug 292197. Thanks!

Yusuke Suzuki

Comment 3 2025-05-23 14:21:56 PDT

*** This bug has been marked as a duplicate of bug 292197 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 292197

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2025-04-10 02:58 PDT

Modified

2025-05-23 14:21 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks