[Webkit-unassigned] [Bug 231322] New: Differential testing: Uint32Array initialization miscomputes in interpreter mode
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 6 12:48:14 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=231322
Bug ID: 231322
Summary: Differential testing: Uint32Array initialization
miscomputes in interpreter mode
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: lukas.bernhard at rub.de
Differential testing identifies the following samples to trigger a miscomputation in JSC.
Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000)
Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js
function main() {
async function v23(v24) {
for (let v30 = 0; v30 < 60000; v30++) { }
ArrayBuffer.prototype.constructor = ArrayBuffer;
}
const v22 = [0, 0, 0];
const v35 = v22.filter(v23);
const v37 = [0, 0, 0]
const v42 = new Uint8ClampedArray(v37);
const v43 = new Uint32Array(v42); // without FTL: RangeError: Length out of range of buffer
print(v43.length); // prints 3 with FTL (also 3 in v8). with --useFTLJIT=true this statement is not executed due to the previous exception
}
main();
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211006/53ff1f30/attachment-0001.htm>
More information about the webkit-unassigned
mailing list