Closed Bug 1220275 Opened 4 years ago Closed 4 years ago

Differential Testing: Different output message involving arrays on ARM-simulator builds

Categories

(Core :: JavaScript Engine: JIT, defect, major)

defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 939157
Tracking Status
firefox45 --- affected

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: regression, testcase)

function f(x) {
    for (var i = 0; i < 2; ++i) {
        print(x[0])
    }
}
f([0])
f([4294967297])

$ ./js-32-dm-armSim-darwin-1fbc958f7557 --fuzzing-safe --no-threads --baseline-eager testcase.js
0
0
4294967297
4294967297

$ ./js-32-dm-armSim-darwin-1fbc958f7557 --fuzzing-safe --no-threads --ion-eager testcase.js
0
0
4294967297
1048576


Tested this on m-c rev 1fbc958f7557.

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-arm-simulator --enable-simulator=arm --disable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --32 --enable-simulator=arm" -r 1fbc958f7557

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c0ad95a1ec35
user:        Sean Stangl
date:        Wed Sep 23 15:32:48 2015 -0700
summary:     Bug 1207843 - Part 3/3 - Clean up ARM Imm8::EncodeImm(). r=h4writer

Sean, is bug 1207843 a likely regressor?

Setting s-s because incorrect results from dealing with arrays seem scary.
Flags: needinfo?(sstangl)
I can't reproduce the failure locally on Linux with the ARM simulator.

Which is pretty scary! That patch changed the integer encoding logic. One would expect that if it were wrong, we would be seeing crashes all over the place.
We've tested that this is:

Opt-only, not on debug
Mac ARM-simulator only (doesn't seem to reproduce on Linux)
Still reproducible on Mac m-c rev 451a18579143

Mac uses Clang, Linux uses GCC, so Sean suggested compiling with GCC on Mac.

I installed GCC 5.2.0 via Homebrew, but then compiling the js shell with GCC on a Mac fails with ICU, then when I compiled with "--without-intl-api", it failed too.
This is a duplicate of Bug 939157, caused by undefined behavior when calling RotateLeft with a shift of zero. RotateLeft then performs >>32 on a 32-bit value, which clang happily optimizes away since the behavior is not well-defined.

Leaving open nevertheless.
Flags: needinfo?(sstangl)
I confirm that the patch in bug 939157 comment 1 fixes this issue.
Opening up because bug 939157 is open and has a landed patch.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 939157
You need to log in before you can comment on or make changes to this bug.