242977 – Differential Testing: Different output during v.test(...) with custom valueOf func

Bug 242977 - Differential Testing: Different output during v.test(...) with custom valueOf func

Summary: Differential Testing: Different output during v.test(...) with custom valueOf...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-07-20 19:21 PDT by Wonyoung Jung
Modified:	2022-09-18 20:24 PDT (History)
CC List:	12 users (show)

See Also:

Attachments
testcase for reproduce (298 bytes, text/javascript) 2022-07-20 19:21 PDT, Wonyoung Jung	no flags	Details
Patch (2.86 KB, patch) 2022-08-24 16:48 PDT, David Degazio	no flags	Details \| Formatted Diff \| Diff
Patch (2.94 KB, patch) 2022-08-24 17:13 PDT, David Degazio	d_degazio: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wonyoung Jung 2022-07-20 19:21:31 PDT

Created attachment 461069 [details]
testcase for reproduce

Attached testcase prints different result depending on whether JIT is enabled/disabled.
I'm not sure this case is a bug. Can you please check it out?



- Tested version: WebKit-7614.1.16.11.3
- Steps to reproduce:
  - with JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true test.js`
  - without JIT: `jsc --validateOptions=true --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useJIT=false --useBaselineJIT=false ~/test.js`



- Actual results:
  - with JIT: 
    - v8 increased, but not 10000 (in many cases v8 < 1000)
  - without JIT: 
    - v8 increased, prints 10000

Comment 1 Radar WebKit Bug Importer 2022-07-20 19:21:42 PDT

<rdar://problem/97354388>

Comment 2 David Degazio 2022-08-24 16:48:01 PDT

Created attachment 461847 [details]
Patch

Comment 3 Saam Barati 2022-08-24 16:52:27 PDT

Comment on attachment 461847 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=461847&action=review

> Source/JavaScriptCore/runtime/RegExpObjectInlines.h:107
> +    unsigned lastIndex = getRegExpObjectLastIndexAsUnsigned(globalObject, this, input);

We need to check the exception here like before

Comment 4 Yusuke Suzuki 2022-08-24 17:12:20 PDT

Comment on attachment 461847 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=461847&action=review

> Source/JavaScriptCore/runtime/RegExpObjectInlines.h:113
>      RETURN_IF_EXCEPTION(scope, { });

Need to move this exception check.

Comment 5 David Degazio 2022-08-24 17:13:53 PDT

Created attachment 461849 [details]
Patch

Comment 6 Mark Lam 2022-08-24 17:15:54 PDT

This is not a security bug.  Also, David, please submit your patch via a PR on GitHub.

Comment 7 David Degazio 2022-08-24 17:29:12 PDT

Pull request: https://github.com/WebKit/WebKit/pull/3639

Comment 8 EWS 2022-08-25 00:27:13 PDT

Committed 253766@main (6427225efff7): <https://commits.webkit.org/253766@main>

Reviewed commits have been landed. Closing PR #3639 and removing active labels.