Bug 190033

Summary: [BigInt] BigInt.proptotype.toString is broken when radix is power of 2
Product: WebKit Reporter: Caio Lima <ticaiolima>
Component: JavaScriptCoreAssignee: Caio Lima <ticaiolima>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cdumez, cmarcelo, commit-queue, dbates, ews-watchlist, keith_miller, mark.lam, msaboff, realdawei, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 190124    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Description Caio Lima 2018-09-27 04:16:15 PDT 
When we have a BigInt with length >= 2, the call to BigInt.prototype.toString with a radix that is power of 2 causes the following crash:

ASSERTION FAILED: chunkDivisor
Source/JavaScriptCore/runtime/JSBigInt.cpp(1254) : static WTF::String JSC::JSBigInt::toStringGeneric(JSC::ExecState *, JSC::JSBigInt *, unsigned int)
1   0x1018a83e9 WTFCrash
2   0x100005b5b WTFCrashWithInfo(int, char const*, char const*, int)
3   0x10140c670 JSC::JSBigInt::toStringGeneric(JSC::ExecState*, JSC::JSBigInt*, unsigned int)
4   0x10140c33c JSC::JSBigInt::toString(JSC::ExecState*, unsigned int)
5   0x10133acf9 JSC::bigIntProtoFuncToString(JSC::ExecState*)
6   0x3576d0ed177
7   0x10118c9d4 llint_entry
8   0x101184300 vmEntryToJavaScript
9   0x101099f4a JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
10  0x101099519 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
11  0x101371c2f JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
12  0x10002238d runInteractive(GlobalObject*)
13  0x100007a77 int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
14  0x10000650f jscmain(int, char**)
15  0x10000646e main
16  0x7fff70624015 start
17  0x2
Process 91544 stopped
Comment 1 Caio Lima 2018-09-27 07:57:06 PDT 
Created attachment 350960 [details]
Patch
Comment 2 Caio Lima 2018-09-27 15:25:12 PDT 
Created attachment 351012 [details]
Patch
Comment 3 Caio Lima 2018-09-28 04:49:12 PDT 
Created attachment 351068 [details]
Patch
Comment 4 Yusuke Suzuki 2018-09-29 08:11:19 PDT 
Comment on attachment 351068 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=351068&action=review

r=me with nits.

> Source/WTF/wtf/MathExtras.h:580
> +#if COMPILER(GCC_OR_CLANG)

Use `COMPILER(GCC_COMPATIBLE)`.
Comment 5 Caio Lima 2018-09-30 10:40:06 PDT 
Created attachment 351216 [details]
Patch
Comment 6 Caio Lima 2018-09-30 10:41:04 PDT 
Comment on attachment 351216 [details]
Patch

Thank you very much for the review!
Comment 7 WebKit Commit Bot 2018-09-30 11:19:02 PDT 
Comment on attachment 351216 [details]
Patch

Clearing flags on attachment: 351216

Committed r236647: <https://trac.webkit.org/changeset/236647>
Comment 8 WebKit Commit Bot 2018-09-30 11:19:04 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 9 Radar WebKit Bug Importer 2018-09-30 11:20:40 PDT 
<rdar://problem/44895609>
Comment 10 WebKit Commit Bot 2018-10-01 04:21:43 PDT 
Re-opened since this is blocked by bug 190124
Comment 11 Caio Lima 2018-10-01 06:43:52 PDT 
Created attachment 351242 [details]
Patch
Comment 12 Yusuke Suzuki 2018-10-01 06:50:33 PDT 
(In reply to Caio Lima from comment #11)
> Created attachment 351242 [details]
> Patch

What is the changed part from the previous one?
Comment 13 Caio Lima 2018-10-01 08:12:34 PDT 
(In reply to Yusuke Suzuki from comment #12)
> (In reply to Caio Lima from comment #11)
> > Created attachment 351242 [details]
> > Patch
> 
> What is the changed part from the previous one?

ctz32 was wrong implemented. It was 
```
if (!number)
   return __builtin_ctz(number);

return 32;
```

Which return 32 for every number but 0.

I changed to:
```
if (number) // No not "!"
   return __builtin_ctz(number);

return 32;
```
Comment 14 Caio Lima 2018-10-01 08:53:24 PDT 
Comment on attachment 351242 [details]
Patch

From previous patch, I changed ctz32 (Source/WTF/wtf/MathExtras.h:581) because previous version was wrong. Asking for review again before upstreaming the patch.
Comment 15 Dawei Fenton (:realdawei) 2018-10-01 10:27:33 PDT 
(In reply to WebKit Commit Bot from comment #7)
> Comment on attachment 351216 [details]
> Patch
> 
> Clearing flags on attachment: 351216
> 
> Committed r236647: <https://trac.webkit.org/changeset/236647>

32bit JSC crashing after this revision.

Sample output:
https://build.webkit.org/builders/Apple%20High%20Sierra%2032-bit%20JSC%20%28BuildAndTest%29/builds/2647/steps/webkit-32bit-jsc-test/logs/stdio

stress/big-int-to-string.js.big-int-enabled: 1   0x27dd2b WTFCrash
stress/big-int-to-string.js.big-int-enabled: 2   0x280b3b WTF::CrashOnOverflow::crash()
stress/big-int-to-string.js.big-int-enabled: 3   0x280b2b WTF::CrashOnOverflow::overflowed()
stress/big-int-to-string.js.big-int-enabled: 4   0x2bf7f7 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long)
stress/big-int-to-string.js.big-int-enabled: 5   0x2bbcf4 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::operator[](unsigned long)
stress/big-int-to-string.js.big-int-enabled: 6   0x12de7b1 JSC::JSBigInt::toStringBasePowerOfTwo(JSC::ExecState*, JSC::JSBigInt*, unsigned int)
stress/big-int-to-string.js.big-int-enabled: 7   0x12de1a4 JSC::JSBigInt::toString(JSC::ExecState*, unsigned int)
stress/big-int-to-string.js.big-int-enabled: 8   0x11ee681 JSC::bigIntProtoFuncToString(JSC::ExecState*)
stress/big-int-to-string.js.big-int-enabled: 9   0x54e0f0e1
stress/big-int-to-string.js.big-int-enabled: 10  0x536057 llint_entry
stress/big-int-to-string.js.big-int-enabled: 11  0x52febf vmEntryToJavaScript
stress/big-int-to-string.js.big-int-enabled: 12  0xef1c49 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
stress/big-int-to-string.js.big-int-enabled: 13  0xef10a2 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*)
stress/big-int-to-string.js.big-int-enabled: 14  0x122b2eb JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
stress/big-int-to-string.js.big-int-enabled: 15  0x10889f runWithOptions(GlobalObject*, CommandLine&, bool&)
stress/big-int-to-string.js.big-int-enabled: 16  0xd8c7a jscmain(int, char**)::$_3::operator()(JSC::VM&, GlobalObject*, bool&) const
stress/big-int-to-string.js.big-int-enabled: 17  0xba3aa int runJSC<jscmain(int, char**)::$_3>(CommandLine, bool, jscmain(int, char**)::$_3 const&)
stress/big-int-to-string.js.big-int-enabled: 18  0xb8b40 jscmain(int, char**)
stress/big-int-to-string.js.big-int-enabled: 19  0xb8a67 main
stress/big-int-to-string.js.big-int-enabled: 20  0xa73f4611 start
stress/big-int-to-string.js.big-int-enabled: test_script_2250: line 2: 98930 Segmentation fault: 11  ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useBigInt\=true --useFTLJIT\=true big-int-to-string.js )
stress/big-int-to-string.js.big-int-enabled: ERROR: Unexpected exit code: 139
Comment 16 Yusuke Suzuki 2018-10-02 05:39:20 PDT 
Comment on attachment 351242 [details]
Patch

r=me
Comment 17 Caio Lima 2018-10-02 06:17:22 PDT 
Comment on attachment 351242 [details]
Patch

Thx for the review
Comment 18 WebKit Commit Bot 2018-10-02 06:42:44 PDT 
Comment on attachment 351242 [details]
Patch

Clearing flags on attachment: 351242

Committed r236737: <https://trac.webkit.org/changeset/236737>
Comment 19 WebKit Commit Bot 2018-10-02 06:42:46 PDT 
All reviewed patches have been landed.  Closing bug.