WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
242977
Differential Testing: Different output during v.test(...) with custom valueOf func
https://bugs.webkit.org/show_bug.cgi?id=242977
Summary
Differential Testing: Different output during v.test(...) with custom valueOf...
Wonyoung Jung
Reported
2022-07-20 19:21:31 PDT
Created
attachment 461069
[details]
testcase for reproduce Attached testcase prints different result depending on whether JIT is enabled/disabled. I'm not sure this case is a bug. Can you please check it out? - Tested version: WebKit-7614.1.16.11.3 - Steps to reproduce: - with JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true test.js` - without JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useJIT=false --useBaselineJIT=false ~/test.js` - Actual results: - with JIT: - v8 increased, but not 10000 (in many cases v8 < 1000) - without JIT: - v8 increased, prints 10000
Attachments
testcase for reproduce
(298 bytes, text/javascript)
2022-07-20 19:21 PDT
,
Wonyoung Jung
no flags
Details
Patch
(2.86 KB, patch)
2022-08-24 16:48 PDT
,
David Degazio
no flags
Details
Formatted Diff
Diff
Patch
(2.94 KB, patch)
2022-08-24 17:13 PDT
,
David Degazio
d_degazio
: commit-queue-
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2022-07-20 19:21:42 PDT
<
rdar://problem/97354388
>
David Degazio
Comment 2
2022-08-24 16:48:01 PDT
Created
attachment 461847
[details]
Patch
Saam Barati
Comment 3
2022-08-24 16:52:27 PDT
Comment on
attachment 461847
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=461847&action=review
> Source/JavaScriptCore/runtime/RegExpObjectInlines.h:107 > + unsigned lastIndex = getRegExpObjectLastIndexAsUnsigned(globalObject, this, input);
We need to check the exception here like before
Yusuke Suzuki
Comment 4
2022-08-24 17:12:20 PDT
Comment on
attachment 461847
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=461847&action=review
> Source/JavaScriptCore/runtime/RegExpObjectInlines.h:113 > RETURN_IF_EXCEPTION(scope, { });
Need to move this exception check.
David Degazio
Comment 5
2022-08-24 17:13:53 PDT
Created
attachment 461849
[details]
Patch
Mark Lam
Comment 6
2022-08-24 17:15:54 PDT
This is not a security bug. Also, David, please submit your patch via a PR on GitHub.
David Degazio
Comment 7
2022-08-24 17:29:12 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/3639
EWS
Comment 8
2022-08-25 00:27:13 PDT
Committed
253766@main
(6427225efff7): <
https://commits.webkit.org/253766@main
> Reviewed commits have been landed. Closing PR #3639 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug