[Webkit-unassigned] [Bug 136803] New: DataView result wrong when optimized

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 13 08:52:54 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=136803

           Summary: DataView result wrong when optimized
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
               URL: http://bertfreudenberg.github.io/SqueakJS/etoys/#noFlo
                    atDecodeWorkaround
        OS/Version: Mac OS X 10.9
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: bert at freudenbergs.de


I'm reading about 30,000 floats interspersed with other stuff from a large ArrayBuffer. They're regular IEEE-754 doubles, but stored with the upper and lower 32 bits swapped:

        var data = new DataView(theBits.buffer, theBits.byteOffset),
            buffer = new ArrayBuffer(8),
            swapped = new DataView(buffer);
        swapped.setUint32(0, data.getUint32(4));
        swapped.setUint32(4, data.getUint32(0));
        return swapped.getFloat64(0, true);

This works fine in Safari and Chrome and Firefox and IE11.

However, it stops working in Safari after about 25,000 executions. From a certain point forward, it always answers 1.3797216632888e-310, no matter what the actual bits are.

If I run it in Safari with the error console open, it reads all 30,000 floats correctly.

This sounded like an optimization error, so I added a workaround:

        var data = new DataView(theBits.buffer, theBits.byteOffset),
            buffer = new ArrayBuffer(8),
            swapped = new DataView(buffer);
        (function() {
            swapped.setUint32(0, data.getUint32(4));
            swapped.setUint32(4, data.getUint32(0));
        })();
        return swapped.getFloat64(0, true);

With this workaround, all 30,000 floats are read correctly even if the error console is not open.

How to reproduce:
I was unable to reproduce the problem in a small snippet. It happens on this webpage, the symptom being that the canvas rendering is incomplete:
http://bertfreudenberg.github.io/SqueakJS/etoys/#noFloatDecodeWorkaround

With my workaround not disabled, it renders correctly:
http://bertfreudenberg.github.io/SqueakJS/etoys/
(If you get an alert about errors, reload. They are not reproducible like the bug I report here, although I believe them to be caused by wrong optimization, too)

Here is the commit where I added a workaround, preventing optimization of my decodeFloat method:
https://github.com/bertfreudenberg/SqueakJS/commit/e7e5a33b24cebcfbc55b7c251fcdec836ea4f27b

Please let me know if I can be of any further assistance on this bug. The FTL JIT beats all other JS engines on the Mac hands-down in speed for this Smalltalk virtual machine project, except it gets it wrong, sometimes.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list