Bug 231322 - ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
Summary: ArrayBuffer species watchpoint being invalidated doesn't mean it's not an Arr...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-10-06 12:48 PDT by Lukas Bernhard
Modified: 2021-11-01 13:10 PDT (History)
8 users (show)

See Also:


Attachments
patch (4.05 KB, patch)
2021-10-29 18:41 PDT, Saam Barati
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Bernhard 2021-10-06 12:48:14 PDT
Differential testing identifies the following samples to trigger a miscomputation in JSC.
Tested on e467a9710432ebb3dae9880f897cf93929adc0e6 (Wed Oct 6 16:30:57 2021 +0000)

Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js


function main() {
    async function v23(v24) {
        for (let v30 = 0; v30 < 60000; v30++) { } 
        ArrayBuffer.prototype.constructor = ArrayBuffer;
    }   
    
    const v22 = [0, 0, 0]; 
    const v35 = v22.filter(v23);
    
    const v37 = [0, 0, 0]
    const v42 = new Uint8ClampedArray(v37);
    const v43 = new Uint32Array(v42); // without FTL: RangeError: Length out of range of buffer
    print(v43.length);  // prints 3 with FTL (also 3 in v8). with --useFTLJIT=true this statement is not executed due to the previous exception
}
main();
Comment 1 Radar WebKit Bug Importer 2021-10-13 12:49:12 PDT
<rdar://problem/84212078>
Comment 2 Saam Barati 2021-10-29 18:41:16 PDT
Created attachment 442892 [details]
patch
Comment 3 Yusuke Suzuki 2021-10-29 18:42:44 PDT
Comment on attachment 442892 [details]
patch

r=me
Comment 4 EWS 2021-11-01 13:10:33 PDT
Committed r285123 (243764@main): <https://commits.webkit.org/243764@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 442892 [details].