[Webkit-unassigned] [Bug 276777] New: Atomics.sub is not executed correctly in the JIT compiler

Thu Jul 18 06:25:13 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=276777

            Bug ID: 276777
           Summary: Atomics.sub is not executed correctly in the JIT
                    compiler
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: q602706150 at gmail.com

test case:
```
const arr = new Int8Array(16);
for (let i = 129; i > 0; i--) {
    const r = this.Atomics.sub(arr, 0, i);
    print(r)
}
```

run args:
cmake-build-debug/bin/jsc test.js --useConcurrentJIT=0 --jitPolicyScale=0.01

This bug can be triggered stably by me, and the `--jitPolicyScale=0.01` argument is important, increasing or decreasing it may cause the bug to not trigger.
If you can't trigger this bug, I can try to find other more stable test cases.

tested in the latest webkit main branch:
431ee891573634865d8c5db0a0df90436ea130bb

actural output:
```
0
127
-1
-128
2
-123
9
-114
20
-101
35
-84
54
-63
77
77
77
77
77
...
```
The rest of the output is 77, which is omitted above.

According to the definition of `Atomics.sub`, the number should continue to change and 77 should not be output repeatedly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240718/557bf075/attachment.htm>