[Webkit-unassigned] [Bug 233408] New: Differential testing: FTL miscomputation involving Array.every
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Nov 21 06:24:53 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=233408
Bug ID: 233408
Summary: Differential testing: FTL miscomputation involving
Array.every
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukas.bernhard at rub.de
During differential testing of webkit I found a sample triggering a miscomputation in FTL.
JSC on git commit: 249d5fd6931d
build options:
./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-O3 -lrt -latomic -fuse-ld=lld'"
Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --thresholdForJITSoon=1 --thresholdForJITAfterWarmUp=7 --thresholdForOptimizeAfterWarmUp=7 --thresholdForOptimizeAfterLongWarmUp=7 --thresholdForOptimizeSoon=1 --thresholdForFTLOptimizeAfterWarmUp=10 diff.js
diff.js
```
function main() {
let v17 = {__proto__:[0,0]};
v17[2] = 4;
let v92 = 0;
for (let v95 = 0; v95 < 100; v95++) {
function v103() {
function v128() {
v139 = v92++;
}
[0].map(v128);
}
v17.every(v103);
}
print(v139); // 99 w/o FTL, 18 with FLT (also 99 in spidermonkey)
}
main();
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211121/6d0c0517/attachment-0001.htm>
More information about the webkit-unassigned
mailing list