Closed Bug 643805 Opened 13 years ago Closed 13 years ago

TI: Incorrect results with compiled FreeType

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: azakai, Unassigned)

References

Details

Attachments

(3 files, 2 obsolete files)

freetype - two versions
1.92 MB, application/octet-stream
Details
freetype - gcc version
904.36 KB, application/octet-stream
Details
Reduced
630 bytes, application/x-javascript
Details 
The attachment is FreeType compiled to JavaScript (two versions - one with optimizations, one without). Running it in jaegermonkey with -m and parameters |font.ttf test 80 75 2| gives incorrect results (an error in one version, an infinite loop in the other). The output without -m (and with the same parameters) is valid (it shows some ascii art).

This is similar and perhaps related to bug 643635.
Um, this shouldn't be a security sensitive bug - I guess I clicked the wrong button when filing it.

I don't see a way to undo that...?
Group: core-security
Attached file freetype - gcc version 
An additional build of FreeType, this time with llvm-gcc (other ones were with clang).

This build crashes with -j (with the same arguments as before), unlike the other ones. Otherwise it is similar, no JITs works, -m gives incorrect output (0's).
The patch in bug 643829 does not fix this. Reducing...
Attached file Reduced (obsolete) — 
My laptop spent most of yesterday attacking this 214,755 lines monster. Let's hope there's only one bug here ;)

$ ./js -m -a test.js
test.js:22: Error: Assertion failed: got (void 0), expected 0

Looks a lot like bug 642569 (>50 locals)
Attached file Reduced (obsolete) — 
This one may be easier to debug.
Attachment #522098 - Attachment is obsolete: true
Reduced testcase passes now but Freetype still fails with |-m -n| (incorrect result) so I'll probably have to reduce this again..
Looks like this happens on tracemonkey too, so it might not be a TI bug. Filed bug 648769.
Depends on: 648769
Output is still incorrect with -n, I'll reduce this now.
Jan: This is still a problem on tracemonkey, so it is likely not a TI issue, as mentioned in comment #7. If you can reduce for tracemonkey for bug 648769, though, that would be extremely useful - we are having a hard time finding the cause by bisection!
(In reply to comment #9)
> Jan: This is still a problem on tracemonkey, so it is likely not a TI issue, as
> mentioned in comment #7. 

I'm using freetype_gcc_1_1.js. It works with -m, but with -m -n it prints incorrect values.

> If you can reduce for tracemonkey for bug 648769,
> though, that would be extremely useful - we are having a hard time finding the
> cause by bisection!

Hm can't reproduce, will post details in the other bug.
Attached file Reduced 
This fails with |-m -n| and |-m -n -a|:

test.js:20: Error: Assertion failed: got false, expected true

It looks like it's evicting the result of $rec = $rec + 1 because it decides $rec is dead.
Attachment #522105 - Attachment is obsolete: true
Bingo.  When running the liveness analysis on loop bodies, we initially assume that if the variable is dead after the loop it will be dead at the backedge too, and need to go and insert new lifetime segments if it is found to be live at the loop head.  This was broken though and did not insert new segments if the variable was written in the middle of the loop and those writes did not dominate the back edge.

http://hg.mozilla.org/projects/jaegermonkey/rev/d78eef12a329
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: