Closed Bug 1124421 Opened 9 years ago Closed 9 years ago

Differential Testing: Different output message involving Uint32Array and Float32Array

Categories

(Core :: JavaScript Engine: JIT, defect)

x86
Linux
defect
Not set
major

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox38 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase)

x = new Array
x[7] = 0;
print(Uint32Array(Float32Array(x))[0])

$ ./js-dbg-opt-32-dm-nsprBuild-linux-540077a30866 --fuzzing-safe --no-threads --ion-eager testcase.js
0

$ ./js-dbg-opt-32-dm-nsprBuild-linux-540077a30866 --fuzzing-safe --no-threads --baseline-eager testcase.js
2147483648

Tested this on m-c rev 540077a30866.

My configure flags are:

CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/fuzz3lin/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Setting s-s first because this seems to involve TypedArrays.

autoBisect is running.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2095011ec061
user:        Brian Hackett
date:        Thu Oct 02 19:32:39 2014 -0700
summary:     Bug 1073842 - Add NativeObject subclass of JSObject, remove ObjectImpl, r=luke.

Brian, is bug 1073842 a likely regressor?
Blocks: 1073842
Flags: needinfo?(bhackett1024)
I haven't been able to reproduce this.  Gary, can you still do so?  I'm wondering if this is a dupe of or at least related to bug 1132290.
Flags: needinfo?(bhackett1024)
$ ./js-dbg-32-dm-nsprBuild-linux-09f4968d5f42 --fuzzing-safe --no-threads --ion-eager 1124421.js
0

$ ./js-dbg-32-dm-nsprBuild-linux-09f4968d5f42 --fuzzing-safe --no-threads --baseline-eager --no-fpu 1124421.js
2147483648

I can still reproduce with:

CXX="g++ -m32 -msse2 -mfpmath=sse" CC="gcc -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/fuzz3lin/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

on m-c rev 09f4968d5f42 which seems to include the fix for bug 1132290.

--no-fpu seems to be the difference now.
Flags: needinfo?(bhackett1024)
If bug 1132290 was not a security bug, is this one?
Hannes, would you mind trying this with the new info from comment 3?
Flags: needinfo?(bhackett1024) → needinfo?(hv1989)
$ CXX="g++ -m32 -msse2" CC="gcc -m32 -msse2" ../configure --target=i686-pc-linux-gnu --enable-debug --enable-nspr-build --enable-more-deterministic --enable-gczeal --enable-debug-symbols --disable-tests
$ js --fuzzing-safe --no-ion --no-baseline --no-fpu /tmp/test18.js
2147483648

$ CXX="g++ -m32" CC="gcc -m32" ../configure --target=i686-pc-linux-gnu --enable-debug --enable-nspr-build --enable-more-deterministic --enable-gczeal --enable-debug-symbols --disable-tests
$ js --fuzzing-safe --no-ion --no-baseline /tmp/test18.js
0

So this has nothing to do with IonMonkey/Baseline but with the compiler flag "-msse2", which probably messes up some arithm.

1) Do we still support sse2 only. I think this was only for windows xp, right,
2) Why did --no-sse3 --no-sse4 not yield this problem?
Flags: needinfo?(hv1989)
(In reply to Hannes Verschore [:h4writer] from comment #6)
> So this has nothing to do with IonMonkey/Baseline but with the compiler flag
> "-msse2", which probably messes up some arithm.

It was recommended to use SSE2 in bug 948321 - Dan might know more.
Flags: needinfo?(sunfish)
In bug 948321, we're trying to build with -msse2 so that the Interpreter (C++ code) gets the same bit-for-bit answers as IonMonkey, which only knows how to use sse, since there are cases where x87 and sse give us different answers.

Since x64 is always sse, and Mac OS is always sse, and our JIT is only uses sse, it's surprising that we would have a bug with always sse.
Flags: needinfo?(sunfish)
Flags: needinfo?(hv1989)
(In reply to Hannes Verschore [:h4writer] from comment #6)
> $ CXX="g++ -m32 -msse2" CC="gcc -m32 -msse2" ../configure
> --target=i686-pc-linux-gnu --enable-debug --enable-nspr-build
> --enable-more-deterministic --enable-gczeal --enable-debug-symbols
> --disable-tests
> $ js --fuzzing-safe --no-ion --no-baseline --no-fpu /tmp/test18.js
> 2147483648
> 
> $ CXX="g++ -m32" CC="gcc -m32" ../configure --target=i686-pc-linux-gnu
> --enable-debug --enable-nspr-build --enable-more-deterministic
> --enable-gczeal --enable-debug-symbols --disable-tests
> $ js --fuzzing-safe --no-ion --no-baseline /tmp/test18.js
> 0

Hannes, I just noticed something here.

You're comparing "-msse2 w/--no-fpu" vs "No -msse2 w/o --no-fpu". Shouldn't we compare only with/without --no-fpu?
Just rechecked that I can now no longer reproduce on m-c rev 5330c6f461a4. Hopefully we'll get better testcases next time.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(hv1989)
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.