[Webkit-unassigned] [Bug 275596] Incorrect WebAssembly computation result

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 25 09:31:32 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=275596

--- Comment #4 from Yusuke Suzuki <ysuzuki at apple.com> ---
(In reply to mfcc64 from comment #3)
> Using latest jsc, it still doesn't work (on x84_64).
> 
> (async function() {
>     var buf =
> Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,
> 1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3,
>    
> 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,
> 2,0,4,116,101,115,116,0,1,10,213,1,
>    
> 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,
> 0,0,0,0,64,32,1,183,34,2,163,
>    
> 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,
> 32,3,16,128,128,128,128,0,32,5,65,
>    
> 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,
> 64,32,2,163,33,3,32,6,33,7,3,
>    
> 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,
> 0,11,32,4,65,3,108,33,5,68,0,0,0,0,
>    
> 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,
> 5,32,6,65,127,106,34,6,13,0,11,32,1,
>    
> 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,
> 98,117,103,95,108,111,103,1,4,116,101,115,116,
>    
> 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,
> 112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115,
>    
> 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,
> 52,46,48,46,54]);
> 
>     function debug_log(idx, value) {
>         print(idx, value);
>     }
>     var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log
> }});
>     instance.exports.test(1024);
> })();
> 
> More specifically, using BBQ JIT gives incorrect result:
> jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false
> ...
> 189 0.015625
> 190 0.015625
> 191 0.015625
> 192 1
> 193 1
> 194 1
> ...
> 
> Disabling BBQ JIT gives correct result:
> jsc --useBBQJIT=false
> ...
> 189 0.015625
> 190 0.015625
> 191 0.015625
> 192 0.0234375
> 193 0.0234375
> 194 0.0234375
> ...
> 
> Thank's.


How did you get that JSC shell? ToT build (revision 280337 at main) is showing the following.

```
188 0.015625
189 0.015625
190 0.015625
191 0.015625
192 0.0234375
193 0.0234375
194 0.0234375
195 0.0234375
196 0.0234375
197 0.0234375
198 0.0234375
199 0.0234375
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240625/b5428cf4/attachment.htm>

More information about the webkit-unassigned mailing list