Closed
Bug 1124421
Opened 9 years ago
Closed 9 years ago
Differential Testing: Different output message involving Uint32Array and Float32Array
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: regression, testcase)
x = new Array x[7] = 0; print(Uint32Array(Float32Array(x))[0]) $ ./js-dbg-opt-32-dm-nsprBuild-linux-540077a30866 --fuzzing-safe --no-threads --ion-eager testcase.js 0 $ ./js-dbg-opt-32-dm-nsprBuild-linux-540077a30866 --fuzzing-safe --no-threads --baseline-eager testcase.js 2147483648 Tested this on m-c rev 540077a30866. My configure flags are: CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/fuzz3lin/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests Setting s-s first because this seems to involve TypedArrays. autoBisect is running.
Reporter | ||
Comment 1•9 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/2095011ec061 user: Brian Hackett date: Thu Oct 02 19:32:39 2014 -0700 summary: Bug 1073842 - Add NativeObject subclass of JSObject, remove ObjectImpl, r=luke. Brian, is bug 1073842 a likely regressor?
Blocks: 1073842
Flags: needinfo?(bhackett1024)
Comment 2•9 years ago
|
||
I haven't been able to reproduce this. Gary, can you still do so? I'm wondering if this is a dupe of or at least related to bug 1132290.
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 3•9 years ago
|
||
$ ./js-dbg-32-dm-nsprBuild-linux-09f4968d5f42 --fuzzing-safe --no-threads --ion-eager 1124421.js 0 $ ./js-dbg-32-dm-nsprBuild-linux-09f4968d5f42 --fuzzing-safe --no-threads --baseline-eager --no-fpu 1124421.js 2147483648 I can still reproduce with: CXX="g++ -m32 -msse2 -mfpmath=sse" CC="gcc -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/fuzz3lin/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests on m-c rev 09f4968d5f42 which seems to include the fix for bug 1132290. --no-fpu seems to be the difference now.
Flags: needinfo?(bhackett1024)
Comment 4•9 years ago
|
||
If bug 1132290 was not a security bug, is this one?
Updated•9 years ago
|
Flags: needinfo?(bhackett1024) → needinfo?(hv1989)
Comment 6•9 years ago
|
||
$ CXX="g++ -m32 -msse2" CC="gcc -m32 -msse2" ../configure --target=i686-pc-linux-gnu --enable-debug --enable-nspr-build --enable-more-deterministic --enable-gczeal --enable-debug-symbols --disable-tests $ js --fuzzing-safe --no-ion --no-baseline --no-fpu /tmp/test18.js 2147483648 $ CXX="g++ -m32" CC="gcc -m32" ../configure --target=i686-pc-linux-gnu --enable-debug --enable-nspr-build --enable-more-deterministic --enable-gczeal --enable-debug-symbols --disable-tests $ js --fuzzing-safe --no-ion --no-baseline /tmp/test18.js 0 So this has nothing to do with IonMonkey/Baseline but with the compiler flag "-msse2", which probably messes up some arithm. 1) Do we still support sse2 only. I think this was only for windows xp, right, 2) Why did --no-sse3 --no-sse4 not yield this problem?
Flags: needinfo?(hv1989)
Reporter | ||
Comment 7•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #6) > So this has nothing to do with IonMonkey/Baseline but with the compiler flag > "-msse2", which probably messes up some arithm. It was recommended to use SSE2 in bug 948321 - Dan might know more.
Flags: needinfo?(sunfish)
Comment 8•9 years ago
|
||
In bug 948321, we're trying to build with -msse2 so that the Interpreter (C++ code) gets the same bit-for-bit answers as IonMonkey, which only knows how to use sse, since there are cases where x87 and sse give us different answers. Since x64 is always sse, and Mac OS is always sse, and our JIT is only uses sse, it's surprising that we would have a bug with always sse.
Flags: needinfo?(sunfish)
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(hv1989)
Reporter | ||
Comment 9•9 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #6) > $ CXX="g++ -m32 -msse2" CC="gcc -m32 -msse2" ../configure > --target=i686-pc-linux-gnu --enable-debug --enable-nspr-build > --enable-more-deterministic --enable-gczeal --enable-debug-symbols > --disable-tests > $ js --fuzzing-safe --no-ion --no-baseline --no-fpu /tmp/test18.js > 2147483648 > > $ CXX="g++ -m32" CC="gcc -m32" ../configure --target=i686-pc-linux-gnu > --enable-debug --enable-nspr-build --enable-more-deterministic > --enable-gczeal --enable-debug-symbols --disable-tests > $ js --fuzzing-safe --no-ion --no-baseline /tmp/test18.js > 0 Hannes, I just noticed something here. You're comparing "-msse2 w/--no-fpu" vs "No -msse2 w/o --no-fpu". Shouldn't we compare only with/without --no-fpu?
Reporter | ||
Comment 10•9 years ago
|
||
Just rechecked that I can now no longer reproduce on m-c rev 5330c6f461a4. Hopefully we'll get better testcases next time.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(hv1989)
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•