Bug 244192 - Uint8ClampedArray
Summary: Uint8ClampedArray
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-08-22 03:01 PDT by Yue Sun
Modified: 2022-08-29 03:02 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yue Sun 2022-08-22 03:01:17 PDT 
path/to/jsc test.js --useConcurrentJIT=0 --forceWeakRandomSeed=1 --jitPolicyScale=0 
path/to/jsc test.js --useConcurrentJIT=0 --forceWeakRandomSeed=1 --jitPolicyScale=0.1

  function testClampDouble() {
    var values = [-255.1, -255.0, -2.1, -0, 0, 0.1, 123.4, 254.6, 255, 255.1, 255.9, 256];
    var expected = [];
    var arr = new Uint8ClampedArray(100);
  
    for (var i = 0; i < 10; i++) {
      for (var j = 0; j < values.length; j++) {
         arr[j] = values[j];
        values.filter(function () {
          expected[arr[j]] = 5;
          return false
        });
        //length-inconsist
        print(expected.length)
      }
      expected.pop();
    }
  }
  
  testClampDouble();

We used command line options above to run the script. In this PoC, the clamped array "arr" would turn double numbers in values[] to Uint8 type. However, in Low Level Interpreter, 254.6 is turned to 255 since 255 is closer, while in DFG 254.6 being transferred to 254 using truncation. FTL also have the similar problem when lowering to B3. This lead to difference of the length of "expected[]".
Comment 1 Radar WebKit Bug Importer 2022-08-29 03:02:16 PDT 
<rdar://problem/99269399>