RESOLVED FIXED296270
Abstract Interpreter incorrectly optimized CompareLessEq into Constant True when two oprands are undefined. 
https://bugs.webkit.org/show_bug.cgi?id=296270
Summary Abstract Interpreter incorrectly optimized CompareLessEq into Constant True w...
EntryHi
Reported 2025-07-21 05:17:04 PDT
Hello, I found a bug in JavaScriptCore (commit id: 04d2f39a0b7924afd3de78310c80fbc8b6109fd8). PoC.js: ``` function opt(start, end) { for (let j = start; j <= end; j++) { function f() { f = start; } print(j) } } for (let i = 0; i < 10; i++) { opt(opt, i); opt(); // print accidently print(i) // for debug } ``` Reproduce: 1. ./jsc --useConcurrentJIT=0 --jitPolicyScale=0 PoC.js 2. ./jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 PoC.js Result of Step1: 0 1 2 undefined 3 undefined 4 undefined 5 undefined 6 undefined 7 undefined 8 9 Result of Step 2: 0 1 2 3 4 5 6 7 8 9 Function opt is inlined into global function in FTL. In the second opt call, CompareLessEq has two oprands, both of them are Constant undefined. Abstract Interpreter incorrectly converts CompareLessEq into Constant True in Constant Folding Optimization. Actually, ```undefined <= undefined``` should return false in JavaScript.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-07-21 18:29:08 PDT
<rdar://problem/156361256>
Yusuke Suzuki
Comment 2 2025-07-21 18:31:12 PDT
Pull request: https://github.com/WebKit/WebKit/pull/48360
EWS
Comment 3 2025-07-21 22:30:37 PDT
Committed 297726@main (101f7c7836ea): <https://commits.webkit.org/297726@main> Reviewed commits have been landed. Closing PR #48360 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.