[Webkit-unassigned] [Bug 288815] New: JavaScriptCore generates wrong result in type conversion.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Feb 27 23:38:08 PST 2025
https://bugs.webkit.org/show_bug.cgi?id=288815
Bug ID: 288815
Summary: JavaScriptCore generates wrong result in type
conversion.
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: entryhii at gmail.com
Hello, I found a bug in JSC.
==============poc.js==============
var ab = new ArrayBuffer(8);
var array_i = new Int32Array(ab);
array_i[0] = 0
array_i[1] = -1
var array_f = new Float64Array(ab);
var array_d = new Float64Array(1);
function opt_store() {
array_d[0] = array_f[0];
}
opt_store();
opt_store();
var i32 = new Int32Array(array_d.buffer);
print(i32[1])
================================
Step 1: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0
Step 2: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1
Result of Step 1: -1
Result of Step 2: 2146959360
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20250228/198e7fc0/attachment.htm>
More information about the webkit-unassigned
mailing list