Javascript Engine/JIT execution problem

Not reproducible Issue #7766782

Details

Author
Sebastian M.
Created
Jun 2, 2016
Privacy
This issue is public.
Found in
  • Internet Explorer
Reports
Reported by 2 people

Sign in to watch or report this issue.

Steps to reproduce

Note that the repro steps below are all about IE11, but customer (mark@iodigital) says that it repros on Edge.

  • Open the attached HTML file in IE11 on Windows 10 (earlier versions not tested, Edge does not fail for the attached test-case).
  • Open the developer tools F12 and reload the page
  • Notice that the output shows that after a little warmup (JIT compiler?) the javascript execution goes nuts and code is not executed deterministically anymore (maybe a sign of uninitialized memory?)

Consider this code:

var value = someMethodCallThatReturnsFalse();
if (value){
  if (value){
    // we should never get here
    if (value){
      // we should never get here
    } else {
      // and never ever ever here
    }
  } else {
    if (value){
      // we cannot ever ever ever get here
    } else {
      // we cannot ever ever ever ever get here
    }
  }
}

If the above code is called in a specific constellation and with the developer tools open (or previously being open in the same tab), in fact all of the above impossible branches are taken in a random fashion after a couple of executions.

The attached testcase shows that the constellation in where these signs of memory corruption occur are very rare and changing only some tiny bits in the code will not trigger the bug any more. The code is the result of a heavily stripped down version of a real world code that exhibits the same problem. More interestingly in the real world code the problem also appears without the debugger tools opened and it happens with other changes, too. What seems to be crucial is the usage of Object.hasOwnProperty, the usage of eval and the usage of iframes. Only in this combination the observed problems can be reproduced easily.

It’s clear to me that a workaround for this specific test-case would be to make almost any change in the code to make it disappear, however in the real world code there is no way we can make the problem go away without changing the whole application. The fact that it looks like uninitialized memory to me that is involved in this problem tells me that further problems could arise that cannot be controlled from within the javascript code/application.

Attachments

1 attachment

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Ibrahim O.”

    Changed Assigned To to “Rico M.”

    Changed Assigned To from “Rico M.” to “Ke X.”

    Changed Assigned To from “Ke X.” to “Paul C.”

    Changed Assigned To from “Paul C.” to “Akrosh G.”

    Changed Status to “Won’t fix”

  • Thank
    you for the feedback. This issue appears to have been fixed in Microsoft Edge.
    We’re not presently working on feature bugs in Internet Explorer outside of
    security-related issues. If you have a premier support contract you can visit
    https://premier.microsoft.com and open
    a support incident and work with an engineer to address this issue.

    Best
    Regards,

    The
    Microsoft Edge Team

  • This is not fixed!
    I have a moderately complex Javascript routine that draws up some circles in a clock face pattern. Each circle is an SVG and those get a user photo inside, and the user name overlaid in a box.

    It works on EVERY browser except Edge.

    BUT IF I ENABLE developer tools in Edge, it suddenly works.

    It works in IE 9,10,11 so this IS an Edge bug.

    The Edge tools show me these warnings :"The code on this page disabled back and forward caching"
    “Security of a sand boxed iframe is potentially compromised by allowing script and same origin access”
    However I have no iframes on the page…

  • Microsoft Edge Team

    Changed Assigned To to “Ed M.”

    Changed Status from “Won’t fix”

    Changed Steps to Reproduce

    Changed Title from “Javascript Engine/JIT execution problem” to “Javascript Engine/JIT execution problem”

    Changed Assigned To from “Ed M.” to “Louis L.”

    Changed Status to “Confirmed”

    Changed Assigned To from “Louis L.” to “Richard C.”

    Changed Assigned To from “Richard C.” to “Louis L.”

    Changed Status from “Confirmed” to “Not reproducible”

  • Not seeing any “FAIL!” log on Edge 16.16281.

You need to sign in to your Microsoft account to add a comment.

Sign in