If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Differential Testing: Different output message involving makeDebuggeeValue

RESOLVED INVALID

Status

()

Core
JavaScript Engine: JIT
--
major
RESOLVED INVALID
2 years ago
a year ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {regression, testcase})

Trunk
x86_64
All
regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox46 unaffected)

Details

(Whiteboard: [fuzzblocker])

(Reporter)

Description

2 years ago
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Object-script-AsmJSNative.js
function test(stdlib, foreign) {
    "use asm"
    function f() {}
    return f;
};
var g = newGlobal();
g.parent = this;
g.eval("\
    var dbg = new Debugger(); \
    var parentw = dbg.addDebuggee(parent);\
    var scriptw = parentw.makeDebuggeeValue(parent.test).script; \
");
// jsfunfuzz-generated
print(uneval(this));

$ ./js-dbg-32-dm-darwin-dd6d447fc6e0 --fuzzing-safe --no-threads --ion-eager testcase.js
/snip
}, schedulegc:function schedulegc() {
    [native code]
}, scriptw:(void 0), selectforgc:function selectforgc() {
    [native code]
}, serialize:function serialize() {
/snip

$ ./js-dbg-32-dm-darwin-dd6d447fc6e0 --fuzzing-safe --no-threads --ion-eager --no-fpu testcase.js
/snip
}, schedulegc:function schedulegc() {
    [native code]
}, scriptw:{}, selectforgc:function selectforgc() {
    [native code]
}, serialize:function serialize() {
/snip

Tested this on m-c rev dd6d447fc6e0.

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --32" -r dd6d447fc6e0

Note the difference in value for scriptw. This seems to have happened from the fix for bug 1191765, which is m-c rev 7e829bb51eed, onwards. (there was an assertion failure before that, which was fixed in that rev) Thus, setting needinfo? from Jim and Nick, since this involves Debugger/makeDebuggeeValue and they reviewed/fixed bug 1191765.

Assuming related to bug 1191765.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
(Reporter)

Comment 1

2 years ago
Actually, this is happening often enough to be a [fuzzblocker] for compareJIT.
Whiteboard: [fuzzblocker]

Comment 2

2 years ago
I'm not able to reproduce this difference by varying the --no-fpu flag. However, changing the --no-asmjs flag does produce the same difference, and that difference is not a bug; Debugger is supposed to treat AsmJS code differently, since we don't actually retain bytecode scripts for them.

Is it possible that --no-fpu affects AsmJS handling somehow?

I made a slight modification to the test program, to print out only the relevant value:

function test(stdlib, foreign) {
    "use asm"
    function f() {}
    return f;
};
var g = newGlobal();
g.parent = this;
g.eval("\
    var dbg = new Debugger(); \
    var parentw = dbg.addDebuggee(parent);\
    var scriptw = parentw.makeDebuggeeValue(parent.test).script; \
");
// jsfunfuzz-generated
print(uneval(g.scriptw));

With this I get the following output:

$ obj~/js/src/js  --fuzzing-safe --no-threads --ion-eager ~/moz/diff.js
(void 0)
$ obj~/js/src/js  --fuzzing-safe --no-threads --ion-eager --no-fpu ~/moz/diff.js
(void 0)
$ obj~/js/src/js  --fuzzing-safe --no-threads --ion-eager --no-asmjs ~/moz/diff.js
({})
$
Flags: needinfo?(jimb)
(Reporter)

Comment 3

2 years ago
(In reply to Jim Blandy :jimb from comment #2)
> Is it possible that --no-fpu affects AsmJS handling somehow?

Setting needinfo? from our asm.js folks.
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)

Comment 4

2 years ago
On x86, --no-fpu makes cx->jitSupportsFloatingPoint() false which in turn disables asm.js compilation.  On x64, we #ifdef IsSSE2Present() to return 'true' so asm.js will still work even with --no-fpu.
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)

Comment 5

2 years ago
Gary, given that this is an expected effect of --no-fpu, and Debugger is behaving correctly, what can we do to help the fuzzers? For example, I would have no problem special-casing Debugger's behavior based on JS shell command-line switches.

But the underlying problem here is that the fuzzer output is asking Debugger for information which is 1) essential to ordinary JS debugging, and so *must* be reported when Asm.js isn't involved; but is 2) not available at all under Asm.js. Since it's an issue of --no-asmjs (and hence --no-fpu) causing information loss, I don't see how we can make Debugger's behavior invariant under those flags.
Flags: needinfo?(nfitzgerald) → needinfo?(gary)
(Reporter)

Comment 6

2 years ago
We always run with --fuzzing-safe, so can you put these special-case stuff in under --fuzzing-safe?
Flags: needinfo?(gary) → needinfo?(jimb)

Comment 7

2 years ago
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6)
> We always run with --fuzzing-safe, so can you put these special-case stuff
> in under --fuzzing-safe?

I don't think you read everything I wrote. I am *willing* to special-case; I can't figure out *what* change in behavior the special case should cause.
Flags: needinfo?(jimb) → needinfo?(gary)
(Reporter)

Comment 8

2 years ago
Sorry for the confusion. We discussed a little more about this on IRC. We can blacklist / ignore certain testcases if certain functions are present in the testcase.

Jim suggests blacklisting ".script", ".parameterNames" and ".environment".

(also, I just retested and the symptom in comment 0 does reproduce with --no-asmjs.)
Flags: needinfo?(gary)
(Reporter)

Comment 9

2 years ago
Resolving INVALID, this is not a bug in SpiderMonkey then.

Added the blacklist in:

https://github.com/MozillaSecurity/funfuzz/commit/047cb93b3858e1df35752a196043cb2ab92c61fe
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
status-firefox46: affected → unaffected
You need to log in before you can comment on or make changes to this bug.