Closed Bug 1253898 Opened 8 years ago Closed 8 years ago

Differential Testing: Different output message involving Array.prototype

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: mrrrgn)

References

Details

(Keywords: regression, testcase) 

x = [];
Array.prototype.unshift.apply(x, [undefined]);
x.forEach((function() {
    y = arguments;
}));
Array.prototype.sort.apply(y, [function() {}]);
Array.prototype.sort.apply(y, [function() {}]);
print(uneval(y));

$ ./js-dbg-64-dm-clang-darwin-5a2e0878d6c2 --fuzzing-safe --no-threads --ion-eager testcase.js
({0:0, 1:0, 2:[(void 0)]})

$ ./js-dbg-64-dm-clang-darwin-5a2e0878d6c2 --fuzzing-safe --no-threads --baseline-eager testcase.js
({0:0, 1:[(void 0)], 2:(void 0)})

Tested this on m-c rev 5a2e0878d6c2.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 5a2e0878d6c2

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3821b8259c65
user:        Morgan Phillips
date:        Tue Feb 09 18:47:34 2016 -0600
summary:     Bug 1246860 - Preserve holes when sorting arrays with a custom comparator. r=till

Morgan, is bug 1246860 a likely regressor?
Flags: needinfo?(winter2718)
Summary: Differential Testing: Different output message involving arrays → Differential Testing: Different output message involving Array.prototype
It is. Taking ownership.
Assignee: nobody → winter2718
Flags: needinfo?(winter2718)
So, the problem seems to lay in "_DefineDataProperty." Commenting it out in "MoveHoles" (from builtin/Sorting.js), and replacing it with regular array assignment, fixes the discrepancy.

// Helper function for overwriting a sparse array with a
// dense array, filling remaining slots with holes.
function MoveHoles(sparse, sparseLen, dense, denseLen) {
    for (var i = 0; i < denseLen; i++)
        sparse[i] = dense[i];//_DefineDataProperty(sparse, i, dense[i]);
    for (var j = denseLen; j < sparseLen; j++)
        delete sparse[j];
}
This was fixed by bug Bug 1260673.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Dupe. Clearing affected 47.
status-firefox47: affected → ---
You need to log in before you can comment on or make changes to this bug.