275596 2024-06-17 20:16:09 -0700 Incorrect WebAssembly computation result 2024-06-29 00:27:45 -0700 1 1 1 Unclassified WebKit WebAssembly Other PC Linux RESOLVED FIXED InRadar P2 Normal --- 1 mfcc64 ysuzuki jmichaud keith_miller mark.lam webkit-bug-importer ysuzuki oldest_to_newest 2041796 0 mfcc64 2024-06-17 20:16:09 -0700 // Run this script using browser console / bun (async function() { var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1, 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163, 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65, 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3, 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0, 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1, 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116, 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]); var m = true; function debug_log(idx, value) { if (idx == 4095) console.log(idx, value), m = false; if (m) console.log(idx, value); } var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }}); for (let x = 0; x < 100; x++) instance.exports.test(4096); })(); // end The result is incorrect starting at idx = 512. But, after several calls to instance.exports.test, it becomes correct. Here are the last logs: [Log] 4095 – 1 (x21) [Log] 4095 – 0.00146484375 (x79) This is C source code of wasm file: void debug_log(int, double); void test(int n) { for (int k = 16; k <= n; k *= 4) { int q = k / 4; double mul; for (int j = 1; j < 4; j++) for (int x = 0; x < q; x++) mul = 2.0 * j / k, debug_log(j*q+x, mul); } } Previously, I reported this on bun: https://github.com/oven-sh/bun/issues/11667 2042861 1 webkit-bug-importer 2024-06-24 20:17:12 -0700 <rdar://problem/130468600> 2042870 2 ysuzuki 2024-06-24 20:46:18 -0700 Thanks. ToT WebKit / JavaScriptCore can run this as expected (matching against V8 and SpiderMonkey). So please update to the latest WebKit / JavaScriptCore! 2042918 3 mfcc64 2024-06-25 03:16:26 -0700 Using latest jsc, it still doesn't work (on x84_64). (async function() { var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1, 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163, 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65, 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3, 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0, 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1, 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116, 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]); function debug_log(idx, value) { print(idx, value); } var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }}); instance.exports.test(1024); })(); More specifically, using BBQ JIT gives incorrect result: jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false ... 189 0.015625 190 0.015625 191 0.015625 192 1 193 1 194 1 ... Disabling BBQ JIT gives correct result: jsc --useBBQJIT=false ... 189 0.015625 190 0.015625 191 0.015625 192 0.0234375 193 0.0234375 194 0.0234375 ... Thank's. 2042978 4 ysuzuki 2024-06-25 09:31:32 -0700 (In reply to mfcc64 from comment #3) > Using latest jsc, it still doesn't work (on x84_64). > > (async function() { > var buf = > Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17, > 1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, > > 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121, > 2,0,4,116,101,115,116,0,1,10,213,1, > > 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0, > 0,0,0,0,64,32,1,183,34,2,163, > > 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5, > 32,3,16,128,128,128,128,0,32,5,65, > > 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16, > 64,32,2,163,33,3,32,6,33,7,3, > > 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13, > 0,11,32,4,65,3,108,33,5,68,0,0,0,0, > > 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33, > 5,32,6,65,127,106,34,6,13,0,11,32,1, > > 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101, > 98,117,103,95,108,111,103,1,4,116,101,115,116, > > 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9, > 112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, > > 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49, > 52,46,48,46,54]); > > function debug_log(idx, value) { > print(idx, value); > } > var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log > }}); > instance.exports.test(1024); > })(); > > More specifically, using BBQ JIT gives incorrect result: > jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false > ... > 189 0.015625 > 190 0.015625 > 191 0.015625 > 192 1 > 193 1 > 194 1 > ... > > Disabling BBQ JIT gives correct result: > jsc --useBBQJIT=false > ... > 189 0.015625 > 190 0.015625 > 191 0.015625 > 192 0.0234375 > 193 0.0234375 > 194 0.0234375 > ... > > Thank's. How did you get that JSC shell? ToT build (revision 280337@main) is showing the following. ``` 188 0.015625 189 0.015625 190 0.015625 191 0.015625 192 0.0234375 193 0.0234375 194 0.0234375 195 0.0234375 196 0.0234375 197 0.0234375 198 0.0234375 199 0.0234375 ``` 2043082 5 mfcc64 2024-06-25 17:07:12 -0700 jsc is generated by Tools/Scripts/build-jsc --jsc-only (on revision 280337@main). Updating to revision 280352@main doesn't fix the problem. Thank's. 2043084 6 ysuzuki 2024-06-25 17:15:38 -0700 (In reply to mfcc64 from comment #5) > jsc is generated by Tools/Scripts/build-jsc --jsc-only (on revision > 280337@main). Updating to revision 280352@main doesn't fix the problem. > > Thank's. Can you generate build-webkit and use JSC shell via VM=/path/to/WebKitBuild/Release; DYLD_FRAMEWORK_PATH=$VM $VM/jsc We cannot reproduce the issue so far with built JSC. 2043085 7 ysuzuki 2024-06-25 17:15:48 -0700 Is it macOS? 2043089 8 mfcc64 2024-06-25 17:36:58 -0700 I run it on x86_64 Linux. 2043220 9 jmichaud 2024-06-26 11:00:22 -0700 :looking: 2043660 10 jmichaud 2024-06-28 14:21:00 -0700 I was unable to reproduce this on x86_64 linux. Can you show how you launch jsc? You will need to set LD_PRELOAD_PATH to get the right version of jsc: ``` export VM=$BUILDDIR/WebKitBuild/JSCOnly/$CONFIG/ LD_LIBRARY_PATH=$VM $VM/bin/jsc --validateOptions=1 ``` 2043715 11 mfcc64 2024-06-28 17:59:10 -0700 It still give incorrect results. Trying debug build, got assertion failed: ASSERTION FAILED: op1 == dest || op2 != dest 178 0.015625 /home/data/git/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h(1814) : void JSC::MacroAssemblerX86Common::divDouble(JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID) Looking at the source, maybe this only affect processors that don't have AVX support. So, It seems that you should disable AVX to reproduce this bug. Thank's. 2043735 12 ysuzuki 2024-06-28 20:56:16 -0700 Pull request: https://github.com/WebKit/WebKit/pull/30299 2043740 13 mfcc64 2024-06-28 23:56:33 -0700 The patch works for me. Thank's. 2043742 14 ews-feeder 2024-06-29 00:27:43 -0700 Committed 280495@main (2fdb35959e51): <https://commits.webkit.org/280495@main> Reviewed commits have been landed. Closing PR #30299 and removing active labels.