[Webkit-unassigned] [Bug 275596] New: Incorrect WebAssembly computation result
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 17 20:16:09 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=275596
Bug ID: 275596
Summary: Incorrect WebAssembly computation result
Product: WebKit
Version: Other
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: WebAssembly
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mfcc64 at gmail.com
// Run this script using browser console / bun
(async function() {
var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3,
2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1,
1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163,
33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,
1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3,
64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0,
0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1,
65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116,
7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115,
115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]);
var m = true;
function debug_log(idx, value) {
if (idx == 4095)
console.log(idx, value), m = false;
if (m)
console.log(idx, value);
}
var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }});
for (let x = 0; x < 100; x++)
instance.exports.test(4096);
})();
// end
The result is incorrect starting at idx = 512. But, after several calls to instance.exports.test, it becomes correct.
Here are the last logs:
[Log] 4095 – 1 (x21)
[Log] 4095 – 0.00146484375 (x79)
This is C source code of wasm file:
void debug_log(int, double);
void
test(int n) {
for (int k = 16; k <= n; k *= 4) {
int q = k / 4;
double mul;
for (int j = 1; j < 4; j++)
for (int x = 0; x < q; x++)
mul = 2.0 * j / k, debug_log(j*q+x, mul);
}
}
Previously, I reported this on bun:
https://github.com/oven-sh/bun/issues/11667
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240618/f3646334/attachment.htm>
More information about the webkit-unassigned
mailing list