1186226 - Differential Testing: Different output message involving OdinMonkey

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

f = (function() {
    "use asm";
    function f() {
        return (0 > (-(~~1) >>> 0)) | 0;
    }
    return f;
})();
print(f());

$ ./js-dbg-32-dm-nsprBuild-darwin-d00e4167b482 --fuzzing-safe --no-threads --ion-eager testcase.js
1

$ ./js-dbg-32-dm-nsprBuild-darwin-d00e4167b482 --fuzzing-safe --no-threads --baseline-eager --no-fpu testcase.js
0

Tested this on m-c rev d00e4167b482.

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build --32" -r d00e4167b482

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b822456c6e2f
user:        Brian Hackett
date:        Tue Jul 07 11:24:36 2015 -0700
summary:     Bug 1175714 - Watch for baseline frame values with nursery types during OSR, r=jandem.

Setting [fuzzblocker] because this is blocking differential testing fuzzing on OdinMonkey.

Jan / Benjamin, do you think anyone of you could take this please - because Brian is away till the end of the month.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Another testcase:

f = function() {
    "use asm";
    function f(i0) {
        i0 = i0 | 0;
        return 0 < 4294967294 | 0;
    }
    return f;
}();
print(f());

$ ./js-dbg-32-dm-nsprBuild-darwin-1875a5584e5f --fuzzing-safe --no-threads --ion-eager testcase.js
0

$ ./js-dbg-32-dm-nsprBuild-darwin-1875a5584e5f --fuzzing-safe --no-threads --baseline-eager --no-fpu testcase.js
1

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Taking. It's a fallout from bug 1157624.

Can't withdraw bug 1175714 from the list of blockers, as I don't have access to it.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: fix.patch

A quite simple patch: when determining the type for a comparison, we need to look at *both* hand sides. During the big split, I thought only looking at the LHS would be enough, but these test cases show it isn't.

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

(for the record, bug 1157624 landed in mozilla-42, which is the current nightly, so no need to uplift, if it can land quickly enough)

Comment 5

[Jan de Mooij [:jandem]]

Comment on attachment 8637056 [details] [diff] [review]
fix.patch

Review of attachment 8637056 [details] [diff] [review]:
-----------------------------------------------------------------

Good find.

::: js/src/asmjs/AsmJSValidate.cpp
@@ +8506,5 @@
>            case JSOP_GT: stmt = I32::SGtI32; break;
>            case JSOP_GE: stmt = I32::SGeI32; break;
>            default: MOZ_CRASH("unexpected comparison op");
>          }
> +    } else if (lhsType.isUnsigned() && lhsType.isUnsigned()) {

The second one should be rhsType instead of lhsType.

Comment 6

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/9b5d7e71135a

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/9b5d7e71135a