[Webkit-unassigned] [Bug 136508] New: Nitro JIT produces incorrect math on 32-bit iOS devices

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 3 15:29:34 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=136508

           Summary: Nitro JIT produces incorrect math on 32-bit iOS
                    devices
           Product: WebKit
           Version: 525.x (Safari 3.2)
          Platform: iOS
               URL: https://github.com/facebook/immutable-js/issues/92
        OS/Version: iOS 7.0
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: lee at leebyron.com


Please follow along with the current public investigation happening at https://github.com/facebook/immutable-js/issues/92

This Javascript library creates Trie data structures and uses bit-shifting math to operate correctly. A contributor discovered that getting data from a Trie started to fail after a few dozen iterations and reduced to simple test case.

On investigation, it was found that the expression "(1 << ((hash >>> shift) & MASK)" was evaluating to "1" for values hash: 3556498, shift: 0, MASK: 31. This expression should evaluate to "262144". More specifically, "(hash >>> 0)" starts evaluating to 0 after a few dozen passes.

On further investigation to narrow the issue, 64-bit devices such as the iPhone 5S are not affected. Desktops of any kind do not seem to be affected. Alternative iOS browsers like Chrome are not affected (they do not have JIT). Plugging the device in to use Safari's debugger causes the error to vanish. Adding in too much logging causes the error to vanish.

This seems to narrow the cause down to a bug with the JIT'd code. Because changing the code slightly can cause the error to vanish, we haven't been able to create a more minimal failing case.

Steps to Reproduce:
Please read the steps at https://github.com/facebook/immutable-js/issues/92

Opening this test case http://codepen.io/conradz/pen/bKClx in Safari on a 32bit iOS device

Expected Results:
Test case works correctly, each iteration of the loop yields the same result

Actual Results:
Test case fails. First few dozen iterations of the loop succeed, but then the loop fails, presumably after a JIT optimization has taken place

Version:
iOS 7.1.2

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list