Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9621a2879b14858e5aa7527b4954c4c1a37e1e3c
https://github.com/WebKit/WebKit/commit/9621a2879b14858e5aa7527b4954c4c1a37e1e3c
Author: Shu-yu Guo <[email protected]>
Date: 2026-02-02 (Mon, 02 Feb 2026)
Changed paths:
A JSTests/stress/dfg-compare-same-value-other.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Log Message:
-----------
[JSC] Fix DFG constant folding of comparisons of the same value
https://bugs.webkit.org/show_bug.cgi?id=306820
rdar://169422742
Reviewed by Yusuke Suzuki.
Comparisons where both operands are the same can sometimes be folded to
constant true/false. DFG AI is currently incorrectly breaking out of the case
early when this folding isn't successful (e.g. when doing <= on symbols), which
causes such nodes to have a bottom type and be treated as unreachable, which
generates a brk that crashes at runtime.
Test: JSTests/stress/dfg-compare-same-value-other.js
* JSTests/stress/dfg-compare-same-value-other.js: Added.
(i.c.of.string_appeared_here.catch):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Canonical link: https://commits.webkit.org/306674@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
