[Webkit-unassigned] [Bug 232966] New: Differential testing: miscomputation involving spread operator
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 10 13:56:56 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=232966
Bug ID: 232966
Summary: Differential testing: miscomputation involving spread
operator
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukas.bernhard at rub.de
During differential testing of webkit I found a sample triggering a miscomputation in FTL.
JSC on git commit: 93d2e7bf275b
Build options: ./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-ENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt -fuse-ld=lld'"
WebKitBuild/Debug/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js
```
function main() {
let v26;
const v13 = [0, 0];
v16 = [0];
const v18 = v16.__proto__;
const v23 = (v24,...v25) => {
v26 = v25[-80887344];
};
v18[-80887344] = v13;
for (let v30 = -256; v30 < 100; v30++) {
const v31 = v23(0);
}
print(v26); // 0,0 without FTL, undefined without FTL
}
noDFG(main);
main();
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211110/3a56c656/attachment.htm>
More information about the webkit-unassigned
mailing list