Bug 242977

Summary: Differential Testing: Different output during v.test(...) with custom valueOf func
Product: WebKit Reporter: Wonyoung Jung <wonyoung.jung>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, d_degazio, ews-feeder, ews-watchlist, keith_miller, mark.lam, msaboff, ntim, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
testcase for reproduce
none
Patch
none
Patch d_degazio: commit-queue-

Wonyoung Jung
Reported 2022-07-20 19:21:31 PDT
Created attachment 461069 [details] testcase for reproduce Attached testcase prints different result depending on whether JIT is enabled/disabled. I'm not sure this case is a bug. Can you please check it out? - Tested version: WebKit-7614.1.16.11.3 - Steps to reproduce: - with JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true test.js` - without JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useJIT=false --useBaselineJIT=false ~/test.js` - Actual results: - with JIT: - v8 increased, but not 10000 (in many cases v8 < 1000) - without JIT: - v8 increased, prints 10000
Attachments
testcase for reproduce (298 bytes, text/javascript)
2022-07-20 19:21 PDT, Wonyoung Jung 		no flags
Details
Patch (2.86 KB, patch)
2022-08-24 16:48 PDT, David Degazio 		no flags
DetailsFormatted DiffDiff
Patch (2.94 KB, patch)
2022-08-24 17:13 PDT, David Degazio 		d_degazio: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-07-20 19:21:42 PDT
<rdar://problem/97354388>
David Degazio
Comment 2 2022-08-24 16:48:01 PDT
Created attachment 461847 [details] Patch
Saam Barati
Comment 3 2022-08-24 16:52:27 PDT
Comment on attachment 461847 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=461847&action=review > Source/JavaScriptCore/runtime/RegExpObjectInlines.h:107 > + unsigned lastIndex = getRegExpObjectLastIndexAsUnsigned(globalObject, this, input); We need to check the exception here like before
Yusuke Suzuki
Comment 4 2022-08-24 17:12:20 PDT
Comment on attachment 461847 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=461847&action=review > Source/JavaScriptCore/runtime/RegExpObjectInlines.h:113 > RETURN_IF_EXCEPTION(scope, { }); Need to move this exception check.
David Degazio
Comment 5 2022-08-24 17:13:53 PDT
Created attachment 461849 [details] Patch
Mark Lam
Comment 6 2022-08-24 17:15:54 PDT
This is not a security bug. Also, David, please submit your patch via a PR on GitHub.
David Degazio
Comment 7 2022-08-24 17:29:12 PDT
Pull request: https://github.com/WebKit/WebKit/pull/3639
EWS
Comment 8 2022-08-25 00:27:13 PDT
Committed 253766@main (6427225efff7): <https://commits.webkit.org/253766@main> Reviewed commits have been landed. Closing PR #3639 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.