135338 – IOS - Math.abs generate random numbers when we have JIT

Bug 135338 - IOS - Math.abs generate random numbers when we have JIT

Summary: IOS - Math.abs generate random numbers when we have JIT

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	iPhone / iPad iOS 7.0

Importance:	P2 Major
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-28 08:42 PDT by Adrian
Modified:	2014-07-29 11:45 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Examples of failing and working code that does the same thing (1.25 KB, text/html) 2014-07-28 08:43 PDT, Adrian	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adrian 2014-07-28 08:42:45 PDT

This may be already reported but I don't seem to be able to find it but basically when we have JIT and we use Math.abs in some contexts it produces random numbers. The original case was in a much larger codebase but I reduce it to this one, it may not be exactly the same issue  but it is in the same area at least.

Example code

Number.prototype.abs = function() {
        return Math['abs'].call(Math, this);
};

for (var i = 0; i < 100; i++) {
        document.write(i.abs() + ' ');
}

Expected behaviour:

Print number from 0 to 99 in the page.

Current behaviour

It prints all the numbers all right until 73, after that iOS devices start to generate large numbers like 312604592 instead of 74. They appear to follow some kind of pattern.

Other platforms

The only platform where this happens is iOS, the rest of the browsers, including Safari on desktop, doesn't have this problem at all. This problem goes away is you attach a debugger, change the prototype to a global method or use dot notation when calling abs for example.

I attached an html file with that example plus a few others I tried, some of them working some not.

Comment 1 Adrian 2014-07-28 08:43:46 PDT

Created attachment 235595 [details]
Examples of failing and working code that does the same thing

Comment 2 Alexey Proskuryakov 2014-07-28 23:58:28 PDT

What is the iOS version that you are seeing this with, and on which device?

I cannot reproduce with iOS 7.1.1 on iPhone 5s.

Comment 3 Adrian 2014-07-29 02:12:36 PDT

I just tried again in both the emulator (iPad IOS 7.1), iPad 3 (iOS 7.1.2) and yesterday I tried In iPhone 5s (iOS 7.1.2).

The emulator fails all the time, the iPad 3 and the 5s fails sometimes for me, not always. It seems that they fail all the time if I change the code to:

var list = [];

Number.prototype.abs = function() {
     return Math['abs'].call(Math, this);
};

for (var i = 0; i < 100; i++) {
     list.push(i.abs());
}

document.write(list.join(', '));

Anyway yesterday I manage to update the iPhone to the latest iOS beta and now I cannot reproduce the issue anymore. Not this one, nor the other similar ones I found or even the original one in our big codebase.

It will be cool if we can now which bug fixed this one, but at least it seems that this is not going to be an issue anymore in the fall.