Closed Bug 1253898 Opened 10 years ago Closed 9 years ago

Differential Testing: Different output message involving Array.prototype

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: mrrrgn)

References

Details

(Keywords: regression, testcase)

x = []; Array.prototype.unshift.apply(x, [undefined]); x.forEach((function() { y = arguments; })); Array.prototype.sort.apply(y, [function() {}]); Array.prototype.sort.apply(y, [function() {}]); print(uneval(y)); $ ./js-dbg-64-dm-clang-darwin-5a2e0878d6c2 --fuzzing-safe --no-threads --ion-eager testcase.js ({0:0, 1:0, 2:[(void 0)]}) $ ./js-dbg-64-dm-clang-darwin-5a2e0878d6c2 --fuzzing-safe --no-threads --baseline-eager testcase.js ({0:0, 1:[(void 0)], 2:(void 0)}) Tested this on m-c rev 5a2e0878d6c2. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 5a2e0878d6c2 autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3821b8259c65 user: Morgan Phillips date: Tue Feb 09 18:47:34 2016 -0600 summary: Bug 1246860 - Preserve holes when sorting arrays with a custom comparator. r=till Morgan, is bug 1246860 a likely regressor?
Flags: needinfo?(winter2718)
Summary: Differential Testing: Different output message involving arrays → Differential Testing: Different output message involving Array.prototype
It is. Taking ownership.
Assignee: nobody → winter2718
Flags: needinfo?(winter2718)
So, the problem seems to lay in "_DefineDataProperty." Commenting it out in "MoveHoles" (from builtin/Sorting.js), and replacing it with regular array assignment, fixes the discrepancy. // Helper function for overwriting a sparse array with a // dense array, filling remaining slots with holes. function MoveHoles(sparse, sparseLen, dense, denseLen) { for (var i = 0; i < denseLen; i++) sparse[i] = dense[i];//_DefineDataProperty(sparse, i, dense[i]); for (var j = denseLen; j < sparseLen; j++) delete sparse[j]; }
This was fixed by bug Bug 1260673.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Dupe. Clearing affected 47.
status-firefox47: affected → ---
You need to log in before you can comment on or make changes to this bug.