233682 2021-11-30 22:31:55 -0800 [JSC] HeapBigInt CompareStrictEq should call use after speculation checks 2022-09-19 19:14:16 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 lukas.bernhard ysuzuki lukas.bernhard saam webkit-bug-importer ysuzuki oldest_to_newest 1819099 0 lukas.bernhard 2021-11-30 22:31:55 -0800 During differential testing of webkit I found a sample triggering a miscomputation in FTL. JSC on git commit: 65d77d21751c build options: ./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-O3 -lrt -latomic -fuse-ld=lld'" command line: RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 diff.js differs from: RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --useFTLJIT=false diff.js ``` function main() { let v37; let v20 = 129n << 129n; const v21 = v20++; function v29(v30) { switch (v21) { default: for (let v34 = 1; v34 < 65536; v34++) { } break; case v30: v37 = 1; // should never be reached, however this is executed in baseline } } v29(BigInt(129n)); v29([1]); print(v37); // prints 1 without FTL, undefined with FLT (also undefined in spidermonkey) } main(); ``` 1821398 1 webkit-bug-importer 2021-12-07 22:32:27 -0800 <rdar://problem/86192953> 1842840 2 lukas.bernhard 2022-02-17 05:23:52 -0800 While I understand this issue might not be of high relevance, I encounter this correctness error quite often during fuzzing. This makes deduplication of findings rather tedious. If fixing the underlying problem is not in scope for now, could the engine maybe emit some kind of fprintf(stderr, "known correctness error") so fuzzers could skip the particular problem? 1899371 3 saam 2022-09-18 12:00:14 -0700 (In reply to Lukas Bernhard from comment #2) > While I understand this issue might not be of high relevance, I encounter > this correctness error quite often during fuzzing. This makes deduplication > of findings rather tedious. > If fixing the underlying problem is not in scope for now, could the engine > maybe emit some kind of fprintf(stderr, "known correctness error") so > fuzzers could skip the particular problem? Yeah, this should just be fixed to unblock the fuzzer. 1899679 4 ysuzuki 2022-09-19 16:37:43 -0700 Pull request: https://github.com/WebKit/WebKit/pull/4510 1899693 5 ews-feeder 2022-09-19 19:14:14 -0700 Committed 254655@main (662e9f67690e): <https://commits.webkit.org/254655@main> Reviewed commits have been landed. Closing PR #4510 and removing active labels.