Bug 233682 - Differential testing: baseline execution miscomputation related to switch/case
Summary: Differential testing: baseline execution miscomputation related to switch/case
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-30 22:31 PST by Lukas Bernhard
Modified: 2022-02-17 05:23 PST (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Bernhard 2021-11-30 22:31:55 PST
During differential testing of webkit I found a sample triggering a miscomputation in FTL.

JSC on git commit: 65d77d21751c
build options:
./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-O3 -lrt -latomic -fuse-ld=lld'"

command line:
RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 diff.js

differs from:
RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --useFTLJIT=false diff.js


```
function main() { 
    let v37;
    let v20 = 129n << 129n;
    const v21 = v20++;
        
    function v29(v30) {
        switch (v21) {
        default:
            for (let v34 = 1; v34 < 65536; v34++) { } 
            break;
        case v30: 
            v37 = 1; // should never be reached, however this is executed in baseline
        }   
    }   
        
    v29(BigInt(129n));
    v29([1]);
        
    print(v37);  // prints 1 without FTL, undefined with FLT (also undefined in spidermonkey)
}
main();
```
Comment 1 Radar WebKit Bug Importer 2021-12-07 22:32:27 PST
<rdar://problem/86192953>
Comment 2 Lukas Bernhard 2022-02-17 05:23:52 PST
While I understand this issue might not be of high relevance, I encounter this correctness error quite often during fuzzing. This makes deduplication of findings rather tedious.
If fixing the underlying problem is not in scope for now, could the engine maybe emit some kind of fprintf(stderr, "known correctness error") so fuzzers could skip the particular problem?