[Webkit-unassigned] [Bug 232754] New: Differential testing: miscomputation for string type in baseline execution

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 5 05:43:20 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=232754

            Bug ID: 232754
           Summary: Differential testing: miscomputation for string type
                    in baseline execution
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lukas.bernhard at rub.de

During differential testing of webkit I found a sample triggering a miscomputation in the baseline execution. The sample is larger than I'd like it to be, unfortunately all further minimizations I attempted did break the differential behavior.

The sample is invoked as:
WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js


function main() {
    let v83;
    let v102;
    const v30 = []; 

    for (let v56 = 0; v56 < 80; v56++) {
        let v57 = 0;
        const v59 = []; 
        const v61 = []; 

        v63 = [0.0];
        function v65(v66,v67,v68) {
            const v69 = v63 * v30;
            const v70 = Uint16Array;
            let v72 = 0;
            const v76 = [0,0,v61,0];
            const v78 = []; 

            v79 = {__proto__:[], length:"a"};
            const v81 = [0,0,v79,v76];
            v83 = [v65];
            Reflect.apply(v81.map,v67,[v65]);

            for (const v86 of v68) {
                v87 = v59 << v86;
                const v91 = new Int32Array(0);
                const v92 = undefined;
                const v94 = Symbol(undefined);
                v102 = v94.description;
                v57++;
            }   
        }   
        const v105 = v65(0.0,"aaaa",v63);
    }

    print(v102); // undefined with and without FTL
    print(typeof v102); // string without FTL, undefined with FTL (also undefined in spidermonkey)
}
main();

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211105/f75bb4e6/attachment.htm>

More information about the webkit-unassigned mailing list