Closed Bug 1789821 Opened 2 years ago Closed 2 years ago

Differential testing: miscomputation related to Int32MinMaxArrayResult

Categories

(Core :: JavaScript Engine: JIT, defect)

defect

Tracking

()

RESOLVED FIXED
106 Branch
Tracking Status
firefox106 --- fixed

People

(Reporter: lukas.bernhard, Assigned: iain)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Steps to reproduce:

During differential fuzzing, I encountered a miscomputation. The attached sample prints different values, depending on whether ion is enabled or not. Reproduces on git commit: 3cddbdca80c74630150f163613cff97073c319c4
Bisecting the issue identifies commit f35651000c8393185c4f6e7bbf6a7a0fba866e7b related to bug 1674143.

I think the issue is as follows:
The Math.max call is translated to a maxarray MIR instruction. This instruction is DCE'd, because the result is unused. When calling func with an object as argument there should be a bailout, however because maxarray has been eliminated this remains undetected. Still, the internal state of the engine seems to remain consistent.

sample.js:

function main() {
    function func(v29) {
        Math.max(...[v29]);
    }

    for (let i = 0; i < 100; i++) {
        func(100);
    }

    const v2 = {};
    v2.valueOf = () => {print("valueOf called"); undefined;};
    func(v2);
}
main();
obj-x86_64-pc-linux-gnu/dist/bin/js --no-ion --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing sample.js

prints "valueOf called"

obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing --inlining-entry-threshold=512 samples.js

prints nothing

Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core

Nice catch. Your analysis is correct: DCE is not valid for MMinMaxArray.

Assignee: nobody → iireland
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: