[Webkit-unassigned] [Bug 233682] New: Differential testing: baseline execution miscomputation related to switch/case

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 30 22:31:55 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=233682

            Bug ID: 233682
           Summary: Differential testing: baseline execution
                    miscomputation related to switch/case
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lukas.bernhard at rub.de

During differential testing of webkit I found a sample triggering a miscomputation in FTL.

JSC on git commit: 65d77d21751c
build options:
./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-O3 -lrt -latomic -fuse-ld=lld'"

command line:
RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 diff.js

differs from:
RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --useFTLJIT=false diff.js


```
function main() { 
    let v37;
    let v20 = 129n << 129n;
    const v21 = v20++;

    function v29(v30) {
        switch (v21) {
        default:
            for (let v34 = 1; v34 < 65536; v34++) { } 
            break;
        case v30: 
            v37 = 1; // should never be reached, however this is executed in baseline
        }   
    }   

    v29(BigInt(129n));
    v29([1]);

    print(v37);  // prints 1 without FTL, undefined with FLT (also undefined in spidermonkey)
}
main();
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211201/b8db8d3a/attachment.htm>

More information about the webkit-unassigned mailing list