ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

incorrect optimization bug

Open zhunki opened this issue 3 years ago • 3 comments

the following poc cause a inconsistent output.

function v0(v1, v2) {
    const v4 = v1["o"]();
    return v4;
}
function v5() {
    const v9 = arguments[-1];
    return v9;
}
const v10 = { "o": v5 };
const v11 = {  };


c0 = v0(v10, v11);//true
print(Object.is(c0,undefined));
for (i = 0; i < 10000; i++) {
    v0(v10, v11);
}
c1 = v0(v10, v11);
print(Object.is(c1,undefined));//false

zhunki avatar Dec 30 '21 09:12 zhunki

This is a regression in master - correct behaviour occurs in 1.11.

It's a little obscure - some fiddling finds that it only repros with the arguments object and a negative index - not a common combination.

rhuanjl avatar Jan 22 '22 13:01 rhuanjl

Here's a slightly simplified repro:

function func1() {
    return obj["o"]();
}

function func2() {
    return arguments[-1];
}

const obj = { "o" : func2 };

let cor = 0, fail = 0;
for (i = 0; i < 500; i++) {
    if(func1() == undefined)
        ++ cor
    else
        ++ fail;
}

print("fail count = " + fail); // should be 0 - but is not

As for where this goes wrong I've haven't tracked it fully but a start is: EDIT: this was wrong, see PR with fix for true explanation

  1. fulljit attempts to inline func2 into func1
  2. StackArgs optimisation attempts to convert the return arguments[-1] into a direct stack read BUT detects the negative index this triggers a re-jit
  3. The re-jitted code returns an object rather than undefined - not yet worked out why, will see if I can do a git bisect to track the source of this later

rhuanjl avatar Jan 22 '22 16:01 rhuanjl

Bisecting done, bug was introduced by this commit, I will try and look for a fix later - out of time for this weekend though: https://github.com/chakra-core/ChakraCore/commit/c50a9929ec92d64f0613969cf6bb8392e877548c

rhuanjl avatar Jan 22 '22 23:01 rhuanjl