Bug 233682 - [JSC] HeapBigInt CompareStrictEq should call use after speculation checks
Summary: [JSC] HeapBigInt CompareStrictEq should call use after speculation checks
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-30 22:31 PST by Lukas Bernhard
Modified: 2022-09-19 19:14 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Bernhard 2021-11-30 22:31:55 PST 
During differential testing of webkit I found a sample triggering a miscomputation in FTL.

JSC on git commit: 65d77d21751c
build options:
./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-O3 -lrt -latomic -fuse-ld=lld'"

command line:
RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 diff.js

differs from:
RefBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --validateBCE=true --useFTLJIT=false diff.js


```
function main() { 
    let v37;
    let v20 = 129n << 129n;
    const v21 = v20++;
        
    function v29(v30) {
        switch (v21) {
        default:
            for (let v34 = 1; v34 < 65536; v34++) { } 
            break;
        case v30: 
            v37 = 1; // should never be reached, however this is executed in baseline
        }   
    }   
        
    v29(BigInt(129n));
    v29([1]);
        
    print(v37);  // prints 1 without FTL, undefined with FLT (also undefined in spidermonkey)
}
main();
```
Comment 1 Radar WebKit Bug Importer 2021-12-07 22:32:27 PST 
<rdar://problem/86192953>
Comment 2 Lukas Bernhard 2022-02-17 05:23:52 PST 
While I understand this issue might not be of high relevance, I encounter this correctness error quite often during fuzzing. This makes deduplication of findings rather tedious.
If fixing the underlying problem is not in scope for now, could the engine maybe emit some kind of fprintf(stderr, "known correctness error") so fuzzers could skip the particular problem?
Comment 3 Saam Barati 2022-09-18 12:00:14 PDT 
(In reply to Lukas Bernhard from comment #2)
> While I understand this issue might not be of high relevance, I encounter
> this correctness error quite often during fuzzing. This makes deduplication
> of findings rather tedious.
> If fixing the underlying problem is not in scope for now, could the engine
> maybe emit some kind of fprintf(stderr, "known correctness error") so
> fuzzers could skip the particular problem?

Yeah, this should just be fixed to unblock the fuzzer.
Comment 4 Yusuke Suzuki 2022-09-19 16:37:43 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/4510
Comment 5 EWS 2022-09-19 19:14:14 PDT 
Committed 254655@main (662e9f67690e): <https://commits.webkit.org/254655@main>

Reviewed commits have been landed. Closing PR #4510 and removing active labels.