296423 – Dead Code Elimination eliminates ArithSub incorrectly when AritheSub may have implicit calls.

RESOLVED DUPLICATE of bug 305862296423

Dead Code Elimination eliminates ArithSub incorrectly when AritheSub may have implicit calls.

https://bugs.webkit.org/show_bug.cgi?id=296423

Summary Dead Code Elimination eliminates ArithSub incorrectly when AritheSub may have...

EntryHi

Reported 2025-07-23 23:48:01 PDT

Hello, I found a bug in JavaScriptCore (commit id: 101f7c7836eaa3e6c56d8a6fe1d8812efbb8959f). PoC.js ``` function f1(a) { print(a) return a; } function f2(a1, a2, a3) { try { a2.apply(1, 256); } catch (e) {} a1 - a1; try { eval(a3.toLocaleString()); } catch (e) {} } const arr = [1.1, 2.2, 3.3]; arr[Symbol.toPrimitive] = f1; f2(1, 1, Uint8Array); f2(-9007199254740992, 1, {}); f2(arr, 1, 1); print("end") ``` Reproduce: ./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js Expected Result: number number end Actual Result: end

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-07-30 23:48:13 PDT

<rdar://problem/157185744>

Dan Hecht

Comment 2 2026-01-20 18:50:18 PST

*** This bug has been marked as a duplicate of bug 305862 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 305862

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2025-07-23 23:48 PDT

Modified

2026-01-20 18:50 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks