RESOLVED FIXED233682
[JSC] HeapBigInt CompareStrictEq should call use after speculation checks 
https://bugs.webkit.org/show_bug.cgi?id=233682
Summary [JSC] HeapBigInt CompareStrictEq should call use after speculation checks
Lukas Bernhard
Reported 2021-11-30 22:31:55 PST
During differential testing of webkit I found a sample triggering a miscomputation in FTL. JSC on git commit: 65d77d21751c build options: ./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-O3 -lrt -latomic -fuse-ld=lld'" command line: RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 diff.js differs from: RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --useFTLJIT=false diff.js ``` function main() { let v37; let v20 = 129n << 129n; const v21 = v20++; function v29(v30) { switch (v21) { default: for (let v34 = 1; v34 < 65536; v34++) { } break; case v30: v37 = 1; // should never be reached, however this is executed in baseline } } v29(BigInt(129n)); v29([1]); print(v37); // prints 1 without FTL, undefined with FLT (also undefined in spidermonkey) } main(); ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-12-07 22:32:27 PST
<rdar://problem/86192953>
Lukas Bernhard
Comment 2 2022-02-17 05:23:52 PST
While I understand this issue might not be of high relevance, I encounter this correctness error quite often during fuzzing. This makes deduplication of findings rather tedious. If fixing the underlying problem is not in scope for now, could the engine maybe emit some kind of fprintf(stderr, "known correctness error") so fuzzers could skip the particular problem?
Saam Barati
Comment 3 2022-09-18 12:00:14 PDT
(In reply to Lukas Bernhard from comment #2) > While I understand this issue might not be of high relevance, I encounter > this correctness error quite often during fuzzing. This makes deduplication > of findings rather tedious. > If fixing the underlying problem is not in scope for now, could the engine > maybe emit some kind of fprintf(stderr, "known correctness error") so > fuzzers could skip the particular problem? Yeah, this should just be fixed to unblock the fuzzer.
Yusuke Suzuki
Comment 4 2022-09-19 16:37:43 PDT
Pull request: https://github.com/WebKit/WebKit/pull/4510
EWS
Comment 5 2022-09-19 19:14:14 PDT
Committed 254655@main (662e9f67690e): <https://commits.webkit.org/254655@main> Reviewed commits have been landed. Closing PR #4510 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.