JSC version: afe912ce640a337086d106e4853c3dabae003a38 Build options: ``` ./Tools/Scripts/build-jsc --jsc-only --debug ``` Test case: ``` function foo(arg) { const x = /\s.\W/iu; x + x; const a = 0 | arg; const b = a + 0.1; const vvv = 1020000; const c = b >> x; return c; } let x = 3; let y = -2147483647; // 0x7fffffff let apple = foo(y); print("function call before JIT opt") print(apple); for(let i=0; i<200; i++) { foo(x); } let banana = foo(y); print("function call after JIT opt") print(banana); ``` Result: ``` function call before JIT opt -2147483646 function call after JIT opt -2147483647 ```
<rdar://problem/117563215>
Pull request: https://github.com/apple/WebKit/pull/909
Pull request https://github.com/apple/WebKit/pull/909 is invalidated. This turned out to not be a security bug after all. Due to some unfortunate paperwork shuffle, this bug actually ended up being fixed in https://bugs.webkit.org/show_bug.cgi?id=264278.
Sorry for the forward dupe, but https://bugs.webkit.org/show_bug.cgi?id=264278 tracks the fix. *** This bug has been marked as a duplicate of bug 264278 ***