Bug 275596

Summary: Incorrect WebAssembly computation result
Product: WebKit Reporter: mfcc64
Component: WebAssemblyAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: jmichaud, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: PC   
OS: Linux   

mfcc64
Reported 2024-06-17 20:16:09 PDT
// Run this script using browser console / bun (async function() { var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1, 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163, 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65, 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3, 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0, 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1, 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116, 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]); var m = true; function debug_log(idx, value) { if (idx == 4095) console.log(idx, value), m = false; if (m) console.log(idx, value); } var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }}); for (let x = 0; x < 100; x++) instance.exports.test(4096); })(); // end The result is incorrect starting at idx = 512. But, after several calls to instance.exports.test, it becomes correct. Here are the last logs: [Log] 4095 – 1 (x21) [Log] 4095 – 0.00146484375 (x79) This is C source code of wasm file: void debug_log(int, double); void test(int n) { for (int k = 16; k <= n; k *= 4) { int q = k / 4; double mul; for (int j = 1; j < 4; j++) for (int x = 0; x < q; x++) mul = 2.0 * j / k, debug_log(j*q+x, mul); } } Previously, I reported this on bun: https://github.com/oven-sh/bun/issues/11667
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-06-24 20:17:12 PDT
<rdar://problem/130468600>
Yusuke Suzuki
Comment 2 2024-06-24 20:46:18 PDT
Thanks. ToT WebKit / JavaScriptCore can run this as expected (matching against V8 and SpiderMonkey). So please update to the latest WebKit / JavaScriptCore!
mfcc64
Comment 3 2024-06-25 03:16:26 PDT
Using latest jsc, it still doesn't work (on x84_64). (async function() { var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1, 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163, 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65, 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3, 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0, 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1, 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116, 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]); function debug_log(idx, value) { print(idx, value); } var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }}); instance.exports.test(1024); })(); More specifically, using BBQ JIT gives incorrect result: jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false ... 189 0.015625 190 0.015625 191 0.015625 192 1 193 1 194 1 ... Disabling BBQ JIT gives correct result: jsc --useBBQJIT=false ... 189 0.015625 190 0.015625 191 0.015625 192 0.0234375 193 0.0234375 194 0.0234375 ... Thank's.
Yusuke Suzuki
Comment 4 2024-06-25 09:31:32 PDT
(In reply to mfcc64 from comment #3) > Using latest jsc, it still doesn't work (on x84_64). > > (async function() { > var buf = > Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17, > 1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, > > 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121, > 2,0,4,116,101,115,116,0,1,10,213,1, > > 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0, > 0,0,0,0,64,32,1,183,34,2,163, > > 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5, > 32,3,16,128,128,128,128,0,32,5,65, > > 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16, > 64,32,2,163,33,3,32,6,33,7,3, > > 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13, > 0,11,32,4,65,3,108,33,5,68,0,0,0,0, > > 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33, > 5,32,6,65,127,106,34,6,13,0,11,32,1, > > 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101, > 98,117,103,95,108,111,103,1,4,116,101,115,116, > > 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9, > 112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, > > 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49, > 52,46,48,46,54]); > > function debug_log(idx, value) { > print(idx, value); > } > var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log > }}); > instance.exports.test(1024); > })(); > > More specifically, using BBQ JIT gives incorrect result: > jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false > ... > 189 0.015625 > 190 0.015625 > 191 0.015625 > 192 1 > 193 1 > 194 1 > ... > > Disabling BBQ JIT gives correct result: > jsc --useBBQJIT=false > ... > 189 0.015625 > 190 0.015625 > 191 0.015625 > 192 0.0234375 > 193 0.0234375 > 194 0.0234375 > ... > > Thank's. How did you get that JSC shell? ToT build (revision 280337@main) is showing the following. ``` 188 0.015625 189 0.015625 190 0.015625 191 0.015625 192 0.0234375 193 0.0234375 194 0.0234375 195 0.0234375 196 0.0234375 197 0.0234375 198 0.0234375 199 0.0234375 ```
mfcc64
Comment 5 2024-06-25 17:07:12 PDT
jsc is generated by Tools/Scripts/build-jsc --jsc-only (on revision 280337@main). Updating to revision 280352@main doesn't fix the problem. Thank's.
Yusuke Suzuki
Comment 6 2024-06-25 17:15:38 PDT
(In reply to mfcc64 from comment #5) > jsc is generated by Tools/Scripts/build-jsc --jsc-only (on revision > 280337@main). Updating to revision 280352@main doesn't fix the problem. > > Thank's. Can you generate build-webkit and use JSC shell via VM=/path/to/WebKitBuild/Release; DYLD_FRAMEWORK_PATH=$VM $VM/jsc We cannot reproduce the issue so far with built JSC.
Yusuke Suzuki
Comment 7 2024-06-25 17:15:48 PDT
Is it macOS?
mfcc64
Comment 8 2024-06-25 17:36:58 PDT
I run it on x86_64 Linux.
Justin Michaud
Comment 9 2024-06-26 11:00:22 PDT
:looking:
Justin Michaud
Comment 10 2024-06-28 14:21:00 PDT
I was unable to reproduce this on x86_64 linux. Can you show how you launch jsc? You will need to set LD_PRELOAD_PATH to get the right version of jsc: ``` export VM=$BUILDDIR/WebKitBuild/JSCOnly/$CONFIG/ LD_LIBRARY_PATH=$VM $VM/bin/jsc --validateOptions=1 ```
mfcc64
Comment 11 2024-06-28 17:59:10 PDT
It still give incorrect results. Trying debug build, got assertion failed: ASSERTION FAILED: op1 == dest || op2 != dest 178 0.015625 /home/data/git/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h(1814) : void JSC::MacroAssemblerX86Common::divDouble(JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID) Looking at the source, maybe this only affect processors that don't have AVX support. So, It seems that you should disable AVX to reproduce this bug. Thank's.
Yusuke Suzuki
Comment 12 2024-06-28 20:56:16 PDT
Pull request: https://github.com/WebKit/WebKit/pull/30299
mfcc64
Comment 13 2024-06-28 23:56:33 PDT
The patch works for me. Thank's.
EWS
Comment 14 2024-06-29 00:27:43 PDT
Committed 280495@main (2fdb35959e51): <https://commits.webkit.org/280495@main> Reviewed commits have been landed. Closing PR #30299 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.