Closed
Bug 1237464
Opened 8 years ago
Closed 8 years ago
Differential Testing: Different output message involving makeDebuggeeValue
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
INVALID
Tracking | Status | |
---|---|---|
firefox46 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: regression, testcase, Whiteboard: [fuzzblocker])
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Object-script-AsmJSNative.js function test(stdlib, foreign) { "use asm" function f() {} return f; }; var g = newGlobal(); g.parent = this; g.eval("\ var dbg = new Debugger(); \ var parentw = dbg.addDebuggee(parent);\ var scriptw = parentw.makeDebuggeeValue(parent.test).script; \ "); // jsfunfuzz-generated print(uneval(this)); $ ./js-dbg-32-dm-darwin-dd6d447fc6e0 --fuzzing-safe --no-threads --ion-eager testcase.js /snip }, schedulegc:function schedulegc() { [native code] }, scriptw:(void 0), selectforgc:function selectforgc() { [native code] }, serialize:function serialize() { /snip $ ./js-dbg-32-dm-darwin-dd6d447fc6e0 --fuzzing-safe --no-threads --ion-eager --no-fpu testcase.js /snip }, schedulegc:function schedulegc() { [native code] }, scriptw:{}, selectforgc:function selectforgc() { [native code] }, serialize:function serialize() { /snip Tested this on m-c rev dd6d447fc6e0. My configure flags are: LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --32" -r dd6d447fc6e0 Note the difference in value for scriptw. This seems to have happened from the fix for bug 1191765, which is m-c rev 7e829bb51eed, onwards. (there was an assertion failure before that, which was fixed in that rev) Thus, setting needinfo? from Jim and Nick, since this involves Debugger/makeDebuggeeValue and they reviewed/fixed bug 1191765. Assuming related to bug 1191765.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
Reporter | ||
Comment 1•8 years ago
|
||
Actually, this is happening often enough to be a [fuzzblocker] for compareJIT.
Whiteboard: [fuzzblocker]
Comment 2•8 years ago
|
||
I'm not able to reproduce this difference by varying the --no-fpu flag. However, changing the --no-asmjs flag does produce the same difference, and that difference is not a bug; Debugger is supposed to treat AsmJS code differently, since we don't actually retain bytecode scripts for them. Is it possible that --no-fpu affects AsmJS handling somehow? I made a slight modification to the test program, to print out only the relevant value: function test(stdlib, foreign) { "use asm" function f() {} return f; }; var g = newGlobal(); g.parent = this; g.eval("\ var dbg = new Debugger(); \ var parentw = dbg.addDebuggee(parent);\ var scriptw = parentw.makeDebuggeeValue(parent.test).script; \ "); // jsfunfuzz-generated print(uneval(g.scriptw)); With this I get the following output: $ obj~/js/src/js --fuzzing-safe --no-threads --ion-eager ~/moz/diff.js (void 0) $ obj~/js/src/js --fuzzing-safe --no-threads --ion-eager --no-fpu ~/moz/diff.js (void 0) $ obj~/js/src/js --fuzzing-safe --no-threads --ion-eager --no-asmjs ~/moz/diff.js ({}) $
Flags: needinfo?(jimb)
Reporter | ||
Comment 3•8 years ago
|
||
(In reply to Jim Blandy :jimb from comment #2) > Is it possible that --no-fpu affects AsmJS handling somehow? Setting needinfo? from our asm.js folks.
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
Comment 4•8 years ago
|
||
On x86, --no-fpu makes cx->jitSupportsFloatingPoint() false which in turn disables asm.js compilation. On x64, we #ifdef IsSSE2Present() to return 'true' so asm.js will still work even with --no-fpu.
Flags: needinfo?(luke)
Updated•8 years ago
|
Flags: needinfo?(bbouvier)
Comment 5•8 years ago
|
||
Gary, given that this is an expected effect of --no-fpu, and Debugger is behaving correctly, what can we do to help the fuzzers? For example, I would have no problem special-casing Debugger's behavior based on JS shell command-line switches. But the underlying problem here is that the fuzzer output is asking Debugger for information which is 1) essential to ordinary JS debugging, and so *must* be reported when Asm.js isn't involved; but is 2) not available at all under Asm.js. Since it's an issue of --no-asmjs (and hence --no-fpu) causing information loss, I don't see how we can make Debugger's behavior invariant under those flags.
Flags: needinfo?(nfitzgerald) → needinfo?(gary)
Reporter | ||
Comment 6•8 years ago
|
||
We always run with --fuzzing-safe, so can you put these special-case stuff in under --fuzzing-safe?
Flags: needinfo?(gary) → needinfo?(jimb)
Comment 7•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6) > We always run with --fuzzing-safe, so can you put these special-case stuff > in under --fuzzing-safe? I don't think you read everything I wrote. I am *willing* to special-case; I can't figure out *what* change in behavior the special case should cause.
Flags: needinfo?(jimb) → needinfo?(gary)
Reporter | ||
Comment 8•8 years ago
|
||
Sorry for the confusion. We discussed a little more about this on IRC. We can blacklist / ignore certain testcases if certain functions are present in the testcase. Jim suggests blacklisting ".script", ".parameterNames" and ".environment". (also, I just retested and the symptom in comment 0 does reproduce with --no-asmjs.)
Flags: needinfo?(gary)
Reporter | ||
Comment 9•8 years ago
|
||
Resolving INVALID, this is not a bug in SpiderMonkey then. Added the blacklist in: https://github.com/MozillaSecurity/funfuzz/commit/047cb93b3858e1df35752a196043cb2ab92c61fe
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•