296316 – Abstract Interpreter incorrectly optimizes CompareLess into Constant False when two oprands are Symbol.

RESOLVED FIXED296316

Abstract Interpreter incorrectly optimizes CompareLess into Constant False when two oprands are Symbol.

https://bugs.webkit.org/show_bug.cgi?id=296316

Summary Abstract Interpreter incorrectly optimizes CompareLess into Constant False wh...

EntryHi

Reported 2025-07-22 00:26:03 PDT

Hello, I found a bug in JavaScriptCore (commit id: 101f7c7836eaa3e6c56d8a6fe1d8812efbb8959f). This bug is similar to https://bugs.webkit.org/show_bug.cgi?id=296270 which has been fixed. PoC.js ``` try { const x = Symbol(); for (let i = 0; i < 70; i++) { x.__proto__; } x < x; } catch (e) { print(e) } ``` Reproduce: ./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js Expected Result: JSC should throw an exception: TypeError: Cannot convert a symbol to a number. Actual Result: JSC does not throw any exception. Abstract Interpreter incorrectly converts CompareLess into Constant False in Constant Folding Optimization.

Attachments
Add attachment proposed patch, testcase, etc.

Sosuke Suzuki

Comment 1 2025-07-27 09:46:09 PDT

Pull request: https://github.com/WebKit/WebKit/pull/48571

EWS

Comment 2 2025-07-27 19:38:50 PDT

Committed 297910@main (71cedad38d10): <https://commits.webkit.org/297910@main> Reviewed commits have been landed. Closing PR #48571 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2025-07-27 19:39:13 PDT

<rdar://problem/156876784>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Sosuke Suzuki

Reported

2025-07-22 00:26 PDT

Modified

2025-07-27 19:39 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks