WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
270262
[WASM] BBQ JIT fails to propagate NaN through f32 min/max
https://bugs.webkit.org/show_bug.cgi?id=270262
Summary
[WASM] BBQ JIT fails to propagate NaN through f32 min/max
Marcus Plutowski
Reported
2024-02-28 15:32:56 PST
rdar://120540053
JS PoC: ``` // (module // (type (func (param f32) (result f32))) // (func (type 0) (local f32) // (local.set 1 (f32.min (f32.const 12345678) (f32.const nan))) // (local.get 1) // ) // (export "poc" (func 0)) // ) const wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 6, 1, 96, 1, 125, 1, 125, 3, 2, 1, 0, 7, 7, 1, 3, 112, 111, 99, 0, 0, 10, 21, 1, 19, 1, 1, 125, 67, 78, 97, 60, 75, 67, 0, 0, 192, 127, 150, 33, 1, 32, 1, 11]); try { const wasm_mod = new WebAssembly.Module(wasm_code); const wasm_instance = new WebAssembly.Instance(wasm_mod); let ret = undefined; for (let i = 0; i < 10000; i++) { ret = wasm_instance.exports.poc(1.1); } print(ret); } catch (e) { } ``` When JIT'ed, it returns sometime either NaN or 12345678. See below: ``` $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js NaN $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js 12345678 $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js NaN $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js NaN $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js 12345678 $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js NaN $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=true --useBBQJIT=true ./poc.js 12345678 ``` When we disable the concurrent JIT it works as expected: ``` $ jsc --jitPolicyScale=0.0 --useConcurrentJIT=false --useBBQJIT=true ./poc.js NaN ``` And with no JIT: ``` $ jsc --useWasmLLInt=true --useBBQJIT=false --useOMGJIT=false ./poc.js NaN ```
Attachments
Add attachment
proposed patch, testcase, etc.
Marcus Plutowski
Comment 1
2024-04-18 11:50:05 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/27460
EWS
Comment 2
2024-04-23 14:28:14 PDT
Committed
277891@main
(d449735fb880): <
https://commits.webkit.org/277891@main
> Reviewed commits have been landed. Closing PR #27460 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug