[Webkit-unassigned] [Bug 86330] New: Javascript doesn't behave the same with and without the debugger

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun May 13 20:49:31 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=86330

           Summary: Javascript doesn't behave the same with and without
                    the debugger
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://felixcloutier.com/documents/jsx-webkit/mock.xht
                    ml
        OS/Version: Mac OS X 10.7
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: felixcca at yahoo.ca
                CC: oliver at apple.com, fpizlo at apple.com


Using r116899.

I hope you won't hate me too much for this bug report. I've been told on #webkit to report it anyways.

I'm working on a Playstation emulator written in Javascript. It generates Javascript code from MIPS instructions and executes them; but when the debugger is not attached, the execution goes wrong. At some point, the value 0x80054664 should be assigned to element #31 of a Uint32Array (called "this.gpr") through a very simple statement:

    this.gpr[31] = 0x8005465c;

But the statement is either not executed or does not write the correct value, because instead I get this.gpr[31] == 0x80000000, which is the value it had before the assignment.

When the code is run with the Javascript debugger enabled, it does write 0x80054664, so the problem seems to be with the "production" JS compiler.

Also, when this.gpr[31] is not a typed array element (like if I make this.gpr an object with getters and setters for indices 0-33), everything goes right.

The bug is also resilient to mocking. Setting up the state of the emulator to something that simply "looks like" the conditions in which the bug happens (mocking the GPR state and the function generated) doesn't trigger it. I would very much like to give you a complete test case, but for this I would need to send a PlayStation BIOS, and I can't do that.

Still, I've joined the URL of the mock, so you can get an idea of what's going on. The generated Javascript code that doesn't work under obscure circumstances can be found in mock.js (the "psx.memory.compiled.compiled[0x8005465c]" part). For all practical purposes, the only part of this function that should be executed is from line 230 to line 233.

If there's any way I could be more helpful, please tell me how, I'll gladly do it.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list