[warp] Differential behavior with BigInt RangeError
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | unaffected |
| firefox83 | + | fixed |
| firefox84 | + | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: regression, testcase)
Attachments
(2 files)
|
179 bytes,
text/plain
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
The following testcase produces differential behavior on mozilla-central revision 20201016-c0f6b814ea1d (debug build, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager):
function main() {
let v13 = Math.sqrt(9007199254740992);
v19 = new Float32Array(1337);
for (let v26 = 0; v26 < 100; v26++)
v27 = v19[v26];
v32 = BigInt(v13);
}
main();
The test should throw as follows:
test.js:6:9 RangeError: 94906265.62425156 can't be converted to BigInt because it isn't an integer
Stack:
main@test.js:6:9
@test.js:8:1
However, if you add --fast-warmup to the options, the error disappears. Found with fuzzilli + my differential testing patches.
Marking s-s until triaged.
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Updated•4 years ago
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 2•4 years ago
|
||
Good find. This is a bug with the float32 analysis and OSR. Doubles can be incorrectly converted to float32. I don't think it's security-sensitive, just a loss of precision.
|
|
Assignee | |
Comment 3•4 years ago
|
||
In GuessPhiType we skip the phi operand that has the incoming OSR value, but we
also need to ensure we don't specialize the phi as float32 or we risk loss of
precision.
The float32 optimization is pretty complicated. Hopefully this can be factored out
and simplified the coming months (bug 1655773).
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
Comment on attachment 9182309 [details]
Bug 1671812 - Don't specialize OSR phis as float32. r?iain!
Beta/Release Uplift Approval Request
- User impact if declined: Correctness issues.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It disables an optimization (float32 specialization) in a certain case.
- String changes made/needed: None
|
|
Assignee | |
Comment 6•4 years ago
|
||
[Tracking Requested - why for this release]:
|
||
Updated•4 years ago
|
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 8•4 years ago
|
||
Comment on attachment 9182309 [details]
Bug 1671812 - Don't specialize OSR phis as float32. r?iain!
Approved for 83 beta 3.
|
||
Comment 9•4 years ago
|
||
| bugherder uplift | ||
|
||
Updated•4 years ago
|
Description
•