Closed
Bug 1183423
Opened 9 years ago
Closed 9 years ago
Differential Testing: Different output message involving lexical declarations
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1181354
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: regression, testcase)
try {
m = [0, 0];
(function() {
for (var y = 0; y < 9; y++) {}
const z = 7;
m.sort.call(m, (function() {
z;
print("FOO");
}));
})();
} catch (e) {
print(e);
}
$ ./js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f --fuzzing-safe --no-threads --ion-eager testcase.js
ReferenceError: can't access lexical declaration `z' before initialization
$ ./js-dbg-64-dm-nsprBuild-darwin-7ec3e4b2a45f --fuzzing-safe --no-threads --baseline-eager testcase.js
FOO
Tested this on m-c rev 7ec3e4b2a45f.
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7ec3e4b2a45f
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6ec4eb9786d8
user: Shu-yu Guo
date: Tue Jan 06 14:37:42 2015 -0800
summary: Bug 1111293 - Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements. (r=Waldo)
Shu-yu / Waldo, is bug 1111293 a likely regressor?
Reporter | ||
Updated•9 years ago
|
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → affected
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(shu)
Comment hidden (obsolete) |
Reporter | ||
Comment 3•9 years ago
|
||
To bisect, paste the testcase into ~/1183423.js and run the following in your home directory (~):
git clone https://github.com/MozillaSecurity/funfuzz funfuzz
git clone https://github.com/MozillaSecurity/lithium lithium
python -u ~/funfuzz/autobisect-js/autoBisect.py -s 6ec4eb9786d8 -p ~/1183423.js -b "--enable-debug --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-central" -i ~/funfuzz/js/compareJIT.py --minlevel=6 mozilla-central
where the mozilla-central *Mercurial* repository is cloned into ~/trees/mozilla-central. Python 2.7.x is recommended.
Reporter | ||
Comment 4•9 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8bd08e459f24
user: Shu-yu Guo
date: Thu Jul 09 05:35:44 2015 -0700
summary: Bug 1181354 - Account for initaliasedlexical in this one weird const cutout in jit::SetProperty. (r=jandem)
Shu-yu, is bug 1181354 a likely fix? If so, any of the tests be landed?
Flags: needinfo?(shu)
Comment 5•9 years ago
|
||
Yeah, that looks like the fix. No need to land this fuzztest.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•