1237464 - Differential Testing: Different output message involving makeDebuggeeValue

Status: RESOLVED INVALID

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Object-script-AsmJSNative.js
function test(stdlib, foreign) {
    "use asm"
    function f() {}
    return f;
};
var g = newGlobal();
g.parent = this;
g.eval("\
    var dbg = new Debugger(); \
    var parentw = dbg.addDebuggee(parent);\
    var scriptw = parentw.makeDebuggeeValue(parent.test).script; \
");
// jsfunfuzz-generated
print(uneval(this));

$ ./js-dbg-32-dm-darwin-dd6d447fc6e0 --fuzzing-safe --no-threads --ion-eager testcase.js
/snip
}, schedulegc:function schedulegc() {
    [native code]
}, scriptw:(void 0), selectforgc:function selectforgc() {
    [native code]
}, serialize:function serialize() {
/snip

$ ./js-dbg-32-dm-darwin-dd6d447fc6e0 --fuzzing-safe --no-threads --ion-eager --no-fpu testcase.js
/snip
}, schedulegc:function schedulegc() {
    [native code]
}, scriptw:{}, selectforgc:function selectforgc() {
    [native code]
}, serialize:function serialize() {
/snip

Tested this on m-c rev dd6d447fc6e0.

My configure flags are:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --32" -r dd6d447fc6e0

Note the difference in value for scriptw. This seems to have happened from the fix for bug 1191765, which is m-c rev 7e829bb51eed, onwards. (there was an assertion failure before that, which was fixed in that rev) Thus, setting needinfo? from Jim and Nick, since this involves Debugger/makeDebuggeeValue and they reviewed/fixed bug 1191765.

Assuming related to bug 1191765.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Actually, this is happening often enough to be a [fuzzblocker] for compareJIT.

Comment 2

[Jim Blandy :jimb]

I'm not able to reproduce this difference by varying the --no-fpu flag. However, changing the --no-asmjs flag does produce the same difference, and that difference is not a bug; Debugger is supposed to treat AsmJS code differently, since we don't actually retain bytecode scripts for them.

Is it possible that --no-fpu affects AsmJS handling somehow?

I made a slight modification to the test program, to print out only the relevant value:

function test(stdlib, foreign) {
    "use asm"
    function f() {}
    return f;
};
var g = newGlobal();
g.parent = this;
g.eval("\
    var dbg = new Debugger(); \
    var parentw = dbg.addDebuggee(parent);\
    var scriptw = parentw.makeDebuggeeValue(parent.test).script; \
");
// jsfunfuzz-generated
print(uneval(g.scriptw));

With this I get the following output:

$ obj~/js/src/js  --fuzzing-safe --no-threads --ion-eager ~/moz/diff.js
(void 0)
$ obj~/js/src/js  --fuzzing-safe --no-threads --ion-eager --no-fpu ~/moz/diff.js
(void 0)
$ obj~/js/src/js  --fuzzing-safe --no-threads --ion-eager --no-asmjs ~/moz/diff.js
({})
$

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Jim Blandy :jimb from comment #2)
> Is it possible that --no-fpu affects AsmJS handling somehow?

Setting needinfo? from our asm.js folks.

Comment 4

[Luke Wagner [:luke]]

On x86, --no-fpu makes cx->jitSupportsFloatingPoint() false which in turn disables asm.js compilation.  On x64, we #ifdef IsSSE2Present() to return 'true' so asm.js will still work even with --no-fpu.

Comment 5

[Jim Blandy :jimb]

Gary, given that this is an expected effect of --no-fpu, and Debugger is behaving correctly, what can we do to help the fuzzers? For example, I would have no problem special-casing Debugger's behavior based on JS shell command-line switches.

But the underlying problem here is that the fuzzer output is asking Debugger for information which is 1) essential to ordinary JS debugging, and so *must* be reported when Asm.js isn't involved; but is 2) not available at all under Asm.js. Since it's an issue of --no-asmjs (and hence --no-fpu) causing information loss, I don't see how we can make Debugger's behavior invariant under those flags.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

We always run with --fuzzing-safe, so can you put these special-case stuff in under --fuzzing-safe?

Comment 7

[Jim Blandy :jimb]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6)
> We always run with --fuzzing-safe, so can you put these special-case stuff
> in under --fuzzing-safe?

I don't think you read everything I wrote. I am *willing* to special-case; I can't figure out *what* change in behavior the special case should cause.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Sorry for the confusion. We discussed a little more about this on IRC. We can blacklist / ignore certain testcases if certain functions are present in the testcase.

Jim suggests blacklisting ".script", ".parameterNames" and ".environment".

(also, I just retested and the symptom in comment 0 does reproduce with --no-asmjs.)

Comment 9

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Resolving INVALID, this is not a bug in SpiderMonkey then.

Added the blacklist in:

https://github.com/MozillaSecurity/funfuzz/commit/047cb93b3858e1df35752a196043cb2ab92c61fe