[Webkit-unassigned] [Bug 232679] New: Differential Testing: negative Date compute NaN in FTL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 3 12:58:26 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=232679
Bug ID: 232679
Summary: Differential Testing: negative Date compute NaN in FTL
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukas.bernhard at rub.de
During differential testing of webkit I found a sample triggering a miscomputation in FTL related to using Date in a negative integer context.
The sample is invoked as:
WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js
function main() {
let v1 = 0;
while (v1++ < 9) { }
let v19 = 0;
let v45;
do {
function v22() {
"a".charCodeAt(undefined);
const v44 = new Date(123);
v45 = -v44;
for (let v49 = -4096; v49 < 100; v49++) { }
}
v22();
} while (v19++ < 7);
print(v45); // -123 without FTL, NaN with FTL (also -123 in spidermonkey)
}
main();
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211103/b10dfb81/attachment.htm>
More information about the webkit-unassigned
mailing list