[Webkit-unassigned] [Bug 231321] New: Differential testing: Weird behavior in FTL

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 6 12:40:48 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=231321

            Bug ID: 231321
           Summary: Differential testing: Weird behavior in FTL
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: lukas.bernhard at rub.de

Differential testing identifies the following samples to trigger a miscomputation in FTL.
Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000)
Sorry I couldn't minimize the testcase further, everything I try to simplify breaks the differential behavior.
Also, the bug description is obviously meaningless due to not having a hunch regarding the root cause.

Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js

function main() {
    let v224;
    const v35 = [0, 0, {b:"AAAAA"}];

    async function v36(arr) {
        edenGC();  // removing this break differential
        for (let v198 = 0; v198 < 2; v198++) {
            const v200 = [0, 0]; 
            const v201 = ` 
                for (let v205 = 0; v205 < 60000; v205++) { }

                async function v215() { } // never called but removing breaks differential

                const v222 = {"__proto__":[[]], "a":0, "b":0};
                for (const v223 in v222) {
                    v224 = arr[v223];
                    v222.__proto__ = {};
                }
                v200;
            `;
            eval(v201); // moving code out of eval breaks differential
        }   
    }   
    v35.filter(v36);
    print(v224) // prints undefined in FTL, AAAAA without FTL (also AAAAA in v8)
}
main();

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211006/2904334a/attachment.htm>

More information about the webkit-unassigned mailing list