| Summary: | ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Lukas Bernhard <lukas.bernhard> | ||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Local Build | ||||||
| Hardware: | PC | ||||||
| OS: | Linux | ||||||
| Attachments: |
|
||||||
Created attachment 442892 [details]
patch
Comment on attachment 442892 [details]
patch
r=me
Committed r285123 (243764@main): <https://commits.webkit.org/243764@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442892 [details]. |
Differential testing identifies the following samples to trigger a miscomputation in JSC. Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000) Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js function main() { async function v23(v24) { for (let v30 = 0; v30 < 60000; v30++) { } ArrayBuffer.prototype.constructor = ArrayBuffer; } const v22 = [0, 0, 0]; const v35 = v22.filter(v23); const v37 = [0, 0, 0] const v42 = new Uint8ClampedArray(v37); const v43 = new Uint32Array(v42); // without FTL: RangeError: Length out of range of buffer print(v43.length); // prints 3 with FTL (also 3 in v8). with --useFTLJIT=true this statement is not executed due to the previous exception } main();