[Webkit-unassigned] [Bug 287785] New: GetLocal is converted into JSConstant incorrectly in Constant Folding optimization.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 17 00:23:35 PST 2025 

https://bugs.webkit.org/show_bug.cgi?id=287785

            Bug ID: 287785
           Summary: GetLocal is converted into JSConstant incorrectly in
                    Constant Folding optimization.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

Hello, I found a bug in JavaScriptCore.

The PoC is shown as below:
========================poc.js============
const v11 = ["abc","abcd", "abcde"];
const v21 = [1, 2, 3, 4, 5, 6];
function f22(a26) {
  [a26] = v11;
  for (let v37 = 0; v37 < 5; v37++) {}
  print("a26:",a26);
}
noInline(f22)
for (const v44 of v21) {
  f22();
  print("My test",v44)
}
========================================

Reproduce bug:
Step 1: ./jsc poc.js --useConcurrentJIT=0  --jitPolicyScale=0
Step 2: ./jsc poc.js --useConcurrentJIT=0  --jitPolicyScale=0.001

The result of Step 1:
a26: abc
My test 1
a26: abc
My test 2
a26: abc
My test 3
a26: undefined
My test 4
a26: abc
My test 5
a26: abc
My test 6


The result of Step 2:
a26: abc
My test 1
a26: abc
My test 2
a26: abc
My test 3
a26: abc
My test 4
a26: abc
My test 5
a26: abc
My test 6


JSC prints diffrent value in the 4th iteration. In the second DFG JIT, node GetLocal is converted into JSConstant based on the value computed by Abstract Interpreter in the Constant Folding. In this way, JSC directly prints "undefined" instead of "abc". 

Related code in DFGConstantFoldingPhase.cpp:
```
            // Interesting fact: this freezing that we do right here may turn an fragile value into
            // a weak value. See DFGValueStrength.h.
            FrozenValue* value = m_graph.freeze(m_state.forNode(node).value());
            if (!*value)
                continue;

            if (node->op() == GetLocal) {
                // Need to preserve bytecode liveness in ThreadedCPS form. This wouldn't be necessary
                // if it wasn't for https://bugs.webkit.org/show_bug.cgi?id=144086.
                m_insertionSet.insertNode(
                    indexInBlock, SpecNone, PhantomLocal, node->origin,
                    OpInfo(node->variableAccessData()));
                m_graph.dethread();
            } else
                m_insertionSet.insertCheck(m_graph, indexInBlock, node);
            m_graph.convertToConstant(node, value);

            changed = true;
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20250217/3fee4da9/attachment.htm>

More information about the webkit-unassigned mailing list