Closed Bug 1159899 Opened 9 years ago Closed 9 years ago

Differential Testing: Different output message involving division

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: gkw, Assigned: h4writer)

Details

(Keywords: regression, testcase)

Attachments

(1 file)

function f(x) {
    return ~~(x >>> 0) / (x >>> 0) | 0
}
f(1)
print(f(-1))

$ ./js-dbg-64-dm-nsprBuild-darwin-1ad65cbeb2f4 --fuzzing-safe --no-threads --ion-eager testcase.js
1

$ ./js-dbg-64-dm-nsprBuild-darwin-1ad65cbeb2f4 --fuzzing-safe --no-threads --baseline-eager testcase.js
0

Tested this on m-c rev 1ad65cbeb2f4.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 1ad65cbeb2f4

This likely goes as far back as m-c rev f9374ef0fbed (early 2014), so setting needinfo? from Hannes, randomly selected from our list of JIT gurus.
Flags: needinfo?(hv1989)
Attached patch PatchSplinter Review
~~x is not equal to x. There is the side-effect that ToInt32 is done on "x".
As a result we need to fold ~~x to x|0, which covers that ToInt32 part.
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8599732 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8599732 [details] [diff] [review]
Patch

Review of attachment 8599732 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/MIR.cpp
@@ +2953,5 @@
>          return MConstant::New(alloc, v);
>      }
>  
>      if (input->isBitNot() && input->toBitNot()->specialization_ == MIRType_Int32) {
>          MOZ_ASSERT(input->toBitNot()->getOperand(0)->type() == MIRType_Int32);

This sounds good, but does the specialization still matter?
Attachment #8599732 - Flags: review?(nicolas.b.pierron) → review+
(In reply to Nicolas B. Pierron [:nbp] from comment #2)
> ::: js/src/jit/MIR.cpp
> @@ +2953,5 @@
> >          return MConstant::New(alloc, v);
> >      }
> >  
> >      if (input->isBitNot() && input->toBitNot()->specialization_ == MIRType_Int32) {
> >          MOZ_ASSERT(input->toBitNot()->getOperand(0)->type() == MIRType_Int32);
> 
> This sounds good, but does the specialization still matter?

I don't think it matters. But not gonna risk the chance of introducing a bug in a bugfix ;).
https://hg.mozilla.org/mozilla-central/rev/be70d2673c35
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.