Differential Testing: Different output message involving Math.imul

RESOLVED FIXED in Firefox 42

Status

()

Core
JavaScript Engine: JIT
--
major
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: h4writer)

Tracking

(Blocks: 2 bugs, {regression, testcase})

Trunk
mozilla42
regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox42 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
function f(x) {
    print(Math.imul(-4294967295, x >>> 0) / 9 | 0);
}
f(4294967296);
f(2147483648);

$ ./js-dbg-64-dm-nsprBuild-darwin-1875a5584e5f --fuzzing-safe --no-threads --ion-eager testcase.js
0
238609294

$ ./js-dbg-64-dm-nsprBuild-darwin-1875a5584e5f --fuzzing-safe --no-threads --baseline-eager testcase.js
0
-238609294

Tested this on m-c rev 1875a5584e5f.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 1875a5584e5f

This seems to go back prior to rev a459b02a9ca4. Not sure if I'll be able to get a better bisection.

Hannes, do you know if you could take this one?
Flags: needinfo?(hv1989)
(Assignee)

Comment 1

3 years ago
Bisecting gave me:

The first bad revision is:
changeset:   138237:05bfd456e558
user:        Brian Hackett <bhackett1024@gmail.com>
date:        Thu Jul 11 17:11:04 2013 -0600
summary:     Bug 891534 - Use asm.js ops for truncated unsigned div/mod, allow div ops to be marked as truncated, r=jandem.

Looking into it.
Flags: needinfo?(hv1989)
(Assignee)

Comment 2

3 years ago
Created attachment 8637893 [details] [diff] [review]
Patch

Simplifying / gvn:
> Math.imul(1, foo)

is not equal to
> foo

like in normal multiplication. Imul does a truncation of the result
and the actual result should be:
> foo | 0


I solved this more generally than testing in MMul if the mode integer is set. Since this issue will arrive whenever a binary instructions set itself as truncated. Which currently only MMul does for imul.
Assignee: nobody → hv1989
Attachment #8637893 - Flags: review?(nicolas.b.pierron)
Attachment #8637893 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/63a925e3a025
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox42: affected → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.