RESOLVED INVALID 281297
JavaScriptCore produced non-deterministic results 
https://bugs.webkit.org/show_bug.cgi?id=281297
Summary JavaScriptCore produced non-deterministic results
congli
Reported 2024-10-11 05:31:34 PDT
Created attachment 472903 [details] The file to trigger this bug Running the following `a.js` in JavaScriptCore generates unstable results: ```js const v0 = [0xAB0110, {}]; function f1(a2, a3) { if (a2 == "global") { v0[0] ^= a3; return; } let v7 = v0[1][a2]; if (v7 == undefined) { v7 = 0; } if (v7 < 50) { v0[0] ||= a3; v0[1][a2] = v7 + 1; } } f1("global", 10569); for (let i = 0; i < 921; i++) { try { f1("global", 14614); (1n)[1n]; const o263 = { "maxByteLength": 536870912 }; // Reducing "maxByteLength" can mitigate this issue const v265 = new ArrayBuffer(10, o263); f1("global", 1047); const v273 = new DataView(v265); f1("global", 6363); } catch(e278) {} finally {} } f1("global", 20614); f1("global", 9736); print(v0[0]); ``` Below is the results of 5 different runs: ``` [1] root@bb03d964e2f9:/home/fuzzer# ./jsc/jsc a.js 11233217 [2] root@bb03d964e2f9:/home/fuzzer# ./jsc/jsc a.js 11233217 [3] root@bb03d964e2f9:/home/fuzzer# ./jsc/jsc a.js 11238157 <----------- different [4] root@bb03d964e2f9:/home/fuzzer# ./jsc/jsc a.js 11233217 [5] root@bb03d964e2f9:/home/fuzzer# ./jsc/jsc a.js 11238157 <----------- different ``` After some attempts, I found reducing "maxByteLength" of o263 or reducing the iteration account (921) of its surrounding loop can help mitigate the issue. If this is related to OOM, I think an explicit OOM exception/error should be printed; however, it prints nothing but the checksum value.
Attachments
The file to trigger this bug (575 bytes, application/x-javascript)
2024-10-11 05:31 PDT, congli 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2024-10-14 08:33:35 PDT
I can reproduce this on macOS, M3 MacBook Pro. There certainly is an OOM exception that's printed if I remove try-catch. Could you please clarify what aspect of this you consider to be a bug? I am not super familiar with OOM handling in JS, but this doesn't strike me as obviously wrong.
congli
Comment 2 2024-10-15 05:57:41 PDT
Hi Alexey, thanks for your response. I'm sorry for overlooking the surrounding try-catch. You are right; the OOM is indeed thrown and printed. So this should not be a bug. I marked it as RESOLVED/INVALID.
Note You need to log in before you can comment on or make changes to this bug.