706532 - JS Correctness: Different TypeError variants with/without methodjit

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test produces two different TypeError versions with options "-m -a" vs. no options on mozilla-central revision ca140190529a:


(toString++);
var self = this;
this.self++;


Output:

$ $JS -m -a min.js 
min.js:3: TypeError: can't convert #1={self:#1#, toString:NaN} to number
$ $JS min.js 
min.js:3: TypeError: can't convert this.self to number

Comment 1

[Brian Hackett [Laid off!]]

After the objshrink merge this now gives the same output regardless of options, though unfortunately it is the really ugly one using sharp variables.  I'll look into fixing that and restoring the this.self output in all cases.

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Patch.  The decompiler doesn't work on opcodes that are in the middle of a decomposed op because the source notes it needs aren't present.  This rejiggers things so that when decompiling at such an inner op it tries to decompile the outer op instead.

Comment 3

[Luke Wagner [:luke]]

Comment on attachment 579178 [details] [diff] [review]
patch

Looks reasonable.  I recommend you ask Gary for pre-fuzzing.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> Looks reasonable.  I recommend you ask Gary for pre-fuzzing.

This does not blow up the fuzzers after fuzzing for awhile.

Comment 5

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/12c1f73c461f

Comment 6

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/12c1f73c461f