Closed Bug 1534810 Opened 5 years ago Closed 5 years ago

Differential Testing: Different output message involving IonMonkey on ARM64 and Math.round

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(1 file)

Bug 1534810 - ARM64: LMulI should copy registers when multiplying by 1.
47 bytes, text/x-phabricator-request
Details | Review 
function f() {}
function g(x) {
    return (x >> 0) + Math.imul(+f(), Math.round(1));
}
for (let i = 0; i < 2; ++i) {
    print(g());
}

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
0
0

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --ion-eager testcase.js
0
-13

Tested this on m-c rev aecb76a0cd77.

My configure flags are:

AR=ar sh ./configure --enable-simulator=arm64 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift

python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic --enable-simulator=arm64" -r aecb76a0cd77

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/afb2e1e1665f
user: Sean Stangl
date: Thu Mar 07 03:57:23 2019 +0000
summary: Bug 1528869 - Enable IonMonkey in the ARM64 shell, but keep it disabled in the browser. r=nbp

Setting needinfo? from Sean and Nicolas since this is IonMonkey on ARM64. Also setting [fuzzblocker] because this is hard to differentiate from the other fuzzblocking compare_jit issues.

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)

I can reproduce this issue. I will investigate.

Flags: needinfo?(sstangl)
Priority: -- → P1

The problem here is that the code got copied from x86-shared, which is lowered with defineReuseInput, however this is not the case on arm64 and we missed a register copy in case the registers are different.

Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/425b8e0eb6d6
ARM64: LMulI should copy registers when multiplying by 1. r=sstangl

https://hg.mozilla.org/mozilla-central/rev/425b8e0eb6d6

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Crash Signature: [@ JSObject::getClass]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: