Differential testing: miscomputation related to ion-pruning
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
People
(Reporter: lukas.bernhard, Unassigned)
References
(Blocks 1 open bug)
Details
Steps to reproduce:
During differential fuzzing, I encountered a miscomputation. The attached sample computes different values, depending on whether ion-pruning is enabled or not. Reproduces on git commit: 1f263e9a1f56106f18002bcd9715709007fa7f36
Bisecting the issue identifies commit 1d63d38bc5fffd6267f011a91b28beefff87c890 related to bug 1760605.
sample.js:
function main() {
let v32;
for (let v13 = 0; v13 != 100; v13++) { }
for (let v19 = 1; v19 < 256; v19++) {
try {
v32 = [0,0];
Reflect.apply(RegExp.apply, Symbol.match, v32); // throws
nonexistant;
}
catch(v35) {}
for (let i = 0; i < 6; i++) {
RegExp(..."number", 0);
}
}
print(v32[0]); // undefined with ion, 0 without ion. also 0 in v8
}
main();
obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing --ion-pruning=on sample.js
prints undefined
obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing --ion-pruning=off sample.js
prints 0
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Hey Iain, any idea why this could be going on?
|
|
Reporter | |
Comment 2•3 years ago
|
||
I think the issue is that Reflect.apply throws and in the bailout path a RNewArrayObject creates an initialized array. However, the elements are never set. Later, when printing, the unset elements are read as undefined. Unfortunately I have no idea how this is supposed to work.
|
||
Comment 3•3 years ago
|
||
This is another manifestation of bug 1761947. It is fixed by the same patch.
Description
•