Bug 242977

Summary: Differential Testing: Different output during v.test(...) with custom valueOf func
Product: WebKit Reporter: Wonyoung Jung <wonyoung.jung>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, d_degazio, ews-feeder, ews-watchlist, keith_miller, mark.lam, msaboff, ntim, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
testcase for reproduce
none
Patch
none
Patch d_degazio: commit-queue-

Description Wonyoung Jung 2022-07-20 19:21:31 PDT 
Created attachment 461069 [details]
testcase for reproduce

Attached testcase prints different result depending on whether JIT is enabled/disabled.
I'm not sure this case is a bug. Can you please check it out?



- Tested version: WebKit-7614.1.16.11.3
- Steps to reproduce:
  - with JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true test.js`
  - without JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useJIT=false --useBaselineJIT=false ~/test.js`



- Actual results:
  - with JIT: 
    - v8 increased, but not 10000 (in many cases v8 < 1000)
  - without JIT: 
    - v8 increased, prints 10000
Comment 1 Radar WebKit Bug Importer 2022-07-20 19:21:42 PDT 
<rdar://problem/97354388>
Comment 2 David Degazio 2022-08-24 16:48:01 PDT 
Created attachment 461847 [details]
Patch
Comment 3 Saam Barati 2022-08-24 16:52:27 PDT 
Comment on attachment 461847 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=461847&action=review

> Source/JavaScriptCore/runtime/RegExpObjectInlines.h:107
> +    unsigned lastIndex = getRegExpObjectLastIndexAsUnsigned(globalObject, this, input);

We need to check the exception here like before
Comment 4 Yusuke Suzuki 2022-08-24 17:12:20 PDT 
Comment on attachment 461847 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=461847&action=review

> Source/JavaScriptCore/runtime/RegExpObjectInlines.h:113
>      RETURN_IF_EXCEPTION(scope, { });

Need to move this exception check.
Comment 5 David Degazio 2022-08-24 17:13:53 PDT 
Created attachment 461849 [details]
Patch
Comment 6 Mark Lam 2022-08-24 17:15:54 PDT 
This is not a security bug.  Also, David, please submit your patch via a PR on GitHub.
Comment 7 David Degazio 2022-08-24 17:29:12 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/3639
Comment 8 EWS 2022-08-25 00:27:13 PDT 
Committed 253766@main (6427225efff7): <https://commits.webkit.org/253766@main>

Reviewed commits have been landed. Closing PR #3639 and removing active labels.