Bug 231322

Summary: ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
patch none

Lukas Bernhard
Reported 2021-10-06 12:48:14 PDT
Differential testing identifies the following samples to trigger a miscomputation in JSC. Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000) Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { async function v23(v24) { for (let v30 = 0; v30 < 60000; v30++) { } ArrayBuffer.prototype.constructor = ArrayBuffer; } const v22 = [0, 0, 0]; const v35 = v22.filter(v23); const v37 = [0, 0, 0] const v42 = new Uint8ClampedArray(v37); const v43 = new Uint32Array(v42); // without FTL: RangeError: Length out of range of buffer print(v43.length); // prints 3 with FTL (also 3 in v8). with --useFTLJIT=true this statement is not executed due to the previous exception } main();
Attachments
patch (4.05 KB, patch)
2021-10-29 18:41 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-10-13 12:49:12 PDT
<rdar://problem/84212078>
Saam Barati
Comment 2 2021-10-29 18:41:16 PDT
Created attachment 442892 [details] patch
Yusuke Suzuki
Comment 3 2021-10-29 18:42:44 PDT
Comment on attachment 442892 [details] patch r=me
EWS
Comment 4 2021-11-01 13:10:33 PDT
Committed r285123 (243764@main): <https://commits.webkit.org/243764@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442892 [details].
Note You need to log in before you can comment on or make changes to this bug.