Differential Testing: Different output message involving arrays on ARM-simulator builds

RESOLVED DUPLICATE of bug 939157

Status

()

Core
JavaScript Engine: JIT
--
major
RESOLVED DUPLICATE of bug 939157
2 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {regression, testcase})

Trunk
regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 affected)

Details

(Reporter)

Description

2 years ago
function f(x) {
    for (var i = 0; i < 2; ++i) {
        print(x[0])
    }
}
f([0])
f([4294967297])

$ ./js-32-dm-armSim-darwin-1fbc958f7557 --fuzzing-safe --no-threads --baseline-eager testcase.js
0
0
4294967297
4294967297

$ ./js-32-dm-armSim-darwin-1fbc958f7557 --fuzzing-safe --no-threads --ion-eager testcase.js
0
0
4294967297
1048576


Tested this on m-c rev 1fbc958f7557.

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-simulator=arm --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --32 --enable-simulator=arm" -r 1fbc958f7557

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c0ad95a1ec35
user:        Sean Stangl
date:        Wed Sep 23 15:32:48 2015 -0700
summary:     Bug 1207843 - Part 3/3 - Clean up ARM Imm8::EncodeImm(). r=h4writer

Sean, is bug 1207843 a likely regressor?

Setting s-s because incorrect results from dealing with arrays seem scary.
Flags: needinfo?(sstangl)
I can't reproduce the failure locally on Linux with the ARM simulator.

Which is pretty scary! That patch changed the integer encoding logic. One would expect that if it were wrong, we would be seeing crashes all over the place.
(Reporter)

Comment 2

2 years ago
We've tested that this is:

Opt-only, not on debug
Mac ARM-simulator only (doesn't seem to reproduce on Linux)
Still reproducible on Mac m-c rev 451a18579143

Mac uses Clang, Linux uses GCC, so Sean suggested compiling with GCC on Mac.

I installed GCC 5.2.0 via Homebrew, but then compiling the js shell with GCC on a Mac fails with ICU, then when I compiled with "--without-intl-api", it failed too.
This is a duplicate of Bug 939157, caused by undefined behavior when calling RotateLeft with a shift of zero. RotateLeft then performs >>32 on a 32-bit value, which clang happily optimizes away since the behavior is not well-defined.

Leaving open nevertheless.
Flags: needinfo?(sstangl)
(Reporter)

Comment 4

2 years ago
I confirm that the patch in bug 939157 comment 1 fixes this issue.
(Reporter)

Comment 5

2 years ago
Opening up because bug 939157 is open and has a landed patch.
Group: javascript-core-security
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 939157
You need to log in before you can comment on or make changes to this bug.