275596 – Incorrect WebAssembly computation result

RESOLVED FIXED 275596

Incorrect WebAssembly computation result

https://bugs.webkit.org/show_bug.cgi?id=275596

Summary Incorrect WebAssembly computation result

mfcc64

Reported 2024-06-17 20:16:09 PDT

// Run this script using browser console / bun (async function() { var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1, 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163, 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65, 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3, 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0, 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1, 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116, 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]); var m = true; function debug_log(idx, value) { if (idx == 4095) console.log(idx, value), m = false; if (m) console.log(idx, value); } var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }}); for (let x = 0; x < 100; x++) instance.exports.test(4096); })(); // end The result is incorrect starting at idx = 512. But, after several calls to instance.exports.test, it becomes correct. Here are the last logs: [Log] 4095 – 1 (x21) [Log] 4095 – 0.00146484375 (x79) This is C source code of wasm file: void debug_log(int, double); void test(int n) { for (int k = 16; k <= n; k *= 4) { int q = k / 4; double mul; for (int j = 1; j < 4; j++) for (int x = 0; x < q; x++) mul = 2.0 * j / k, debug_log(j*q+x, mul); } } Previously, I reported this on bun: https://github.com/oven-sh/bun/issues/11667

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-06-24 20:17:12 PDT

<rdar://problem/130468600>

Yusuke Suzuki

Comment 2 2024-06-24 20:46:18 PDT

Thanks. ToT WebKit / JavaScriptCore can run this as expected (matching against V8 and SpiderMonkey). So please update to the latest WebKit / JavaScriptCore!

mfcc64

Comment 3 2024-06-25 03:16:26 PDT

Using latest jsc, it still doesn't work (on x84_64). (async function() { var buf = Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17,1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121,2,0,4,116,101,115,116,0,1,10,213,1, 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0,0,0,0,0,64,32,1,183,34,2,163, 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65, 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16,64,32,2,163,33,3,32,6,33,7,3, 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,4,65,3,108,33,5,68,0,0,0,0, 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,6,65,127,106,34,6,13,0,11,32,1, 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101,98,117,103,95,108,111,103,1,4,116,101,115,116, 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9,112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49,52,46,48,46,54]); function debug_log(idx, value) { print(idx, value); } var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log }}); instance.exports.test(1024); })(); More specifically, using BBQ JIT gives incorrect result: jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false ... 189 0.015625 190 0.015625 191 0.015625 192 1 193 1 194 1 ... Disabling BBQ JIT gives correct result: jsc --useBBQJIT=false ... 189 0.015625 190 0.015625 191 0.015625 192 0.0234375 193 0.0234375 194 0.0234375 ... Thank's.

Yusuke Suzuki

Comment 4 2024-06-25 09:31:32 PDT

(In reply to mfcc64 from comment #3) > Using latest jsc, it still doesn't work (on x84_64). > > (async function() { > var buf = > Uint8Array.from([0,97,115,109,1,0,0,0,1,10,2,96,2,127,124,0,96,1,127,0,2,17, > 1,3,101,110,118,9,100,101,98,117,103,95,108,111,103,0,0,3, > > 2,1,1,5,3,1,0,2,6,8,1,127,1,65,128,136,4,11,7,17,2,6,109,101,109,111,114,121, > 2,0,4,116,101,115,116,0,1,10,213,1, > > 1,210,1,3,1,127,2,124,4,127,65,16,33,1,2,64,32,0,65,16,72,13,0,3,64,68,0,0,0, > 0,0,0,0,64,32,1,183,34,2,163, > > 33,3,32,1,65,2,118,34,4,33,5,32,4,65,1,32,4,65,1,75,27,34,6,33,7,3,64,32,5, > 32,3,16,128,128,128,128,0,32,5,65, > > 1,106,33,5,32,7,65,127,106,34,7,13,0,11,32,1,65,1,118,33,5,68,0,0,0,0,0,0,16, > 64,32,2,163,33,3,32,6,33,7,3, > > 64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33,5,32,7,65,127,106,34,7,13, > 0,11,32,4,65,3,108,33,5,68,0,0,0,0, > > 0,0,24,64,32,2,163,33,3,3,64,32,5,32,3,16,128,128,128,128,0,32,5,65,1,106,33, > 5,32,6,65,127,106,34,6,13,0,11,32,1, > > 65,2,116,34,1,32,0,76,13,0,11,11,11,0,45,4,110,97,109,101,1,18,2,0,9,100,101, > 98,117,103,95,108,111,103,1,4,116,101,115,116, > > 7,18,1,0,15,95,95,115,116,97,99,107,95,112,111,105,110,116,101,114,0,45,9, > 112,114,111,100,117,99,101,114,115,1,12,112,114,111,99,101,115, > > 115,101,100,45,98,121,1,12,85,98,117,110,116,117,32,99,108,97,110,103,6,49, > 52,46,48,46,54]); > > function debug_log(idx, value) { > print(idx, value); > } > var {instance} = await WebAssembly.instantiate(buf, {env: { debug_log > }}); > instance.exports.test(1024); > })(); > > More specifically, using BBQ JIT gives incorrect result: > jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false > ... > 189 0.015625 > 190 0.015625 > 191 0.015625 > 192 1 > 193 1 > 194 1 > ... > > Disabling BBQ JIT gives correct result: > jsc --useBBQJIT=false > ... > 189 0.015625 > 190 0.015625 > 191 0.015625 > 192 0.0234375 > 193 0.0234375 > 194 0.0234375 > ... > > Thank's. How did you get that JSC shell? ToT build (revision 280337@main) is showing the following. ``` 188 0.015625 189 0.015625 190 0.015625 191 0.015625 192 0.0234375 193 0.0234375 194 0.0234375 195 0.0234375 196 0.0234375 197 0.0234375 198 0.0234375 199 0.0234375 ```

mfcc64

Comment 5 2024-06-25 17:07:12 PDT

jsc is generated by Tools/Scripts/build-jsc --jsc-only (on revision 280337@main). Updating to revision 280352@main doesn't fix the problem. Thank's.

Yusuke Suzuki

Comment 6 2024-06-25 17:15:38 PDT

(In reply to mfcc64 from comment #5) > jsc is generated by Tools/Scripts/build-jsc --jsc-only (on revision > 280337@main). Updating to revision 280352@main doesn't fix the problem. > > Thank's. Can you generate build-webkit and use JSC shell via VM=/path/to/WebKitBuild/Release; DYLD_FRAMEWORK_PATH=$VM $VM/jsc We cannot reproduce the issue so far with built JSC.

Yusuke Suzuki

Comment 7 2024-06-25 17:15:48 PDT

Is it macOS?

mfcc64

Comment 8 2024-06-25 17:36:58 PDT

I run it on x86_64 Linux.

Justin Michaud

Comment 9 2024-06-26 11:00:22 PDT

:looking:

Justin Michaud

Comment 10 2024-06-28 14:21:00 PDT

I was unable to reproduce this on x86_64 linux. Can you show how you launch jsc? You will need to set LD_PRELOAD_PATH to get the right version of jsc: ``` export VM=$BUILDDIR/WebKitBuild/JSCOnly/$CONFIG/ LD_LIBRARY_PATH=$VM $VM/bin/jsc --validateOptions=1 ```

mfcc64

Comment 11 2024-06-28 17:59:10 PDT

It still give incorrect results. Trying debug build, got assertion failed: ASSERTION FAILED: op1 == dest || op2 != dest 178 0.015625 /home/data/git/WebKit/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h(1814) : void JSC::MacroAssemblerX86Common::divDouble(JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID, JSC::AbstractMacroAssembler<JSC::X86Assembler>::FPRegisterID) Looking at the source, maybe this only affect processors that don't have AVX support. So, It seems that you should disable AVX to reproduce this bug. Thank's.

Yusuke Suzuki

Comment 12 2024-06-28 20:56:16 PDT

Pull request: https://github.com/WebKit/WebKit/pull/30299

mfcc64

Comment 13 2024-06-28 23:56:33 PDT

The patch works for me. Thank's.

EWS

Comment 14 2024-06-29 00:27:43 PDT

Committed 280495@main (2fdb35959e51): <https://commits.webkit.org/280495@main> Reviewed commits have been landed. Closing PR #30299 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware PC

OS Linux

Product WebKit

Component WebAssembly

Assignee

Yusuke Suzuki

Reported

2024-06-17 20:16 PDT

Modified

2024-06-29 00:27 PDT History

CC List

5 users Show

URL

Keywords InRadar

Depends on

Blocks