WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
299846
JIT Optimization bug: DFG ASSERTION FAILED: Bad data format
https://bugs.webkit.org/show_bug.cgi?id=299846
Summary
JIT Optimization bug: DFG ASSERTION FAILED: Bad data format
anbu1024
Reported
2025-09-29 19:48:53 PDT
JavascriptCore version ``` commit: 57a0f2 ``` Build commands: ``` Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-Wno-error -Wno-all -Wno-extra -O0 -lrt'" ``` Test case ```js function foo() { "use strict"; let i = 0; do { const x = []; const t = new RegExp(x, x); parseInt(t, t); i ++; } while (i <= 8); } for (let i = 0; i < 16; i++) { foo(); } ``` Result: ``` DFG ASSERTION FAILED: Bad data format WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1267) : JSC::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal(JSC::DFG::Edge, JSC::DataFormat&) [with bool strict = false; JSC::GPRReg = JSC::X86Registers::RegisterID] ```
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2025-09-29 19:51:13 PDT
<
rdar://problem/161617852
>
Yusuke Suzuki
Comment 2
2025-10-10 23:08:23 PDT
Thanks! This is deterministic release assert crash, so categorizing it to non-security.
Yusuke Suzuki
Comment 3
2025-10-10 23:10:34 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/52164
EWS
Comment 4
2025-10-11 09:52:30 PDT
Committed
301359@main
(1b8a020d3b82): <
https://commits.webkit.org/301359@main
> Reviewed commits have been landed. Closing PR #52164 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug