Closed
Bug 1220275
Opened 9 years ago
Closed 9 years ago
Differential Testing: Different output message involving arrays on ARM-simulator builds
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 939157
| Tracking | Status | |
|---|---|---|
| firefox45 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: regression, testcase)
function f(x) {
for (var i = 0; i < 2; ++i) {
print(x[0])
}
}
f([0])
f([4294967297])
$ ./js-32-dm-armSim-darwin-1fbc958f7557 --fuzzing-safe --no-threads --baseline-eager testcase.js
0
0
4294967297
4294967297
$ ./js-32-dm-armSim-darwin-1fbc958f7557 --fuzzing-safe --no-threads --ion-eager testcase.js
0
0
4294967297
1048576
Tested this on m-c rev 1fbc958f7557.
My configure flags are:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-simulator=arm --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --32 --enable-simulator=arm" -r 1fbc958f7557
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c0ad95a1ec35
user: Sean Stangl
date: Wed Sep 23 15:32:48 2015 -0700
summary: Bug 1207843 - Part 3/3 - Clean up ARM Imm8::EncodeImm(). r=h4writer
Sean, is bug 1207843 a likely regressor?
Setting s-s because incorrect results from dealing with arrays seem scary.Flags: needinfo?(sstangl)
|
||
Comment 1•9 years ago
|
||
I can't reproduce the failure locally on Linux with the ARM simulator. Which is pretty scary! That patch changed the integer encoding logic. One would expect that if it were wrong, we would be seeing crashes all over the place.
|
Reporter | |
Comment 2•9 years ago
|
||
We've tested that this is: Opt-only, not on debug Mac ARM-simulator only (doesn't seem to reproduce on Linux) Still reproducible on Mac m-c rev 451a18579143 Mac uses Clang, Linux uses GCC, so Sean suggested compiling with GCC on Mac. I installed GCC 5.2.0 via Homebrew, but then compiling the js shell with GCC on a Mac fails with ICU, then when I compiled with "--without-intl-api", it failed too.
|
|
||
Comment 3•9 years ago
|
||
This is a duplicate of Bug 939157, caused by undefined behavior when calling RotateLeft with a shift of zero. RotateLeft then performs >>32 on a 32-bit value, which clang happily optimizes away since the behavior is not well-defined. Leaving open nevertheless.
Flags: needinfo?(sstangl)
|
|
Reporter | |
Comment 4•9 years ago
|
||
I confirm that the patch in bug 939157 comment 1 fixes this issue.
|
|
Reporter | |
Comment 5•9 years ago
|
||
Opening up because bug 939157 is open and has a landed patch.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•