RESOLVED FIXED305721
Crashing in thought-to-be-unreachable FTL-generated code 
https://bugs.webkit.org/show_bug.cgi?id=305721
Summary Crashing in thought-to-be-unreachable FTL-generated code
katoshi1337
Reported 2026-01-18 04:47:13 PST
Poc.js: let v1 = 2.0; for (let v2 = 0; v2 < 100; v2++) { let v3 = -1061384422; function f4(a5, a6, a7) { if (!(a5 == -4294967297)) { } a5 * a6; Math.abs(Math); v3++; return v1; } for (let v13 = 0; v13 < 100; v13++) { f4(v13, v1); } } v1++; gc(); ./jsc --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAft erWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 ./poc.js Crashing in thought-to-be-unreachable FTL-generated code for <global>#BI1NYd:[0x7fffe94a07b0->0x7fffe94a0150->0x7fffeb02d988, FTLGlobal, 195 (DidTryToEnterInLoop)] at basic block #5, node @0.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-01-18 04:47:19 PST
<rdar://problem/168397840>
Yusuke Suzuki
Comment 2 2026-01-22 12:44:34 PST
This is a deterministic crash via FTL unreachable. So not security issue.
Yusuke Suzuki
Comment 3 2026-01-22 12:56:29 PST
Pull request: https://github.com/WebKit/WebKit/pull/57066
EWS
Comment 4 2026-01-22 21:53:46 PST
Committed 306060@main (dc60e5a7e380): <https://commits.webkit.org/306060@main> Reviewed commits have been landed. Closing PR #57066 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.