Closed Bug 1266242 Opened 8 years ago Closed 8 years ago

Differential Testing: Different output message involving .splice

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
All
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 1268626
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox-esr45 --- unaffected

People

(Reporter: gkw, Unassigned)

Details

(Keywords: testcase)

x = [];
for (var i = 0; i < 4; i++) {
    x.splice(5, ({
        valueOf: function() {
            x.pop();
        }
    }), 0);
}
x.sort(function() {});
print(uneval(x));


$ ./js-dbg-64-dm-clang-darwin-ae7413abfa4d --fuzzing-safe --no-threads --ion-eager testcase.js
[0, (void 0), , ,]

$ ./js-dbg-64-dm-clang-darwin-ae7413abfa4d --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
[0, , , ,]

Tested this on m-c rev ae7413abfa4d.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r ae7413abfa4d


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1c4b0a89fd5b
user:        Morgan Phillips
date:        Sun Jan 24 19:32:22 2016 -0600
summary:     Bug 715181 - Self-host Array.sort; r=till
Flags: needinfo?(winter2718)
It's a good bet that this one's on me, taking the bug until I find otherwise.
Flags: needinfo?(winter2718)
Assignee: nobody → winter2718
So, this seems to actually be a problem with |if (x in array) {}| for holes. Here is a new test case which highlights the issue:

x = [];
for (var i = 0; i < 4; i++) {
    x.splice(5, ({
        valueOf: function() {
            x.pop();
        }
    }), 0);
}

function denseLen(x) {
    let xLen = 0;
    for (let i = 0; i < x.length; i++)
        if (i in x)
            xLen++;
    return xLen;
}

assertEq(denseLen(x), 1);
Assignee: winter2718 → nobody
Unassigning myself. Gary, could we do another bisection for the testcase I provided above?
Flags: needinfo?(gary)
Unfortunately this seems to be happening since early Nov 2014, m-c rev dc4b163f7db7. Setting needinfo? from Jason as a start.
Flags: needinfo?(gary) → needinfo?(jorendorff)
Ion-only. Bouncing to Jan.
Flags: needinfo?(jorendorff) → needinfo?(jdemooij)
No longer blocks: 715181
Duplicate of bug 1268626, the bug is in array_splice. I'll get that landed.

I confirmed the patch there fixes the test in comment 2.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Summary: Differential Testing: Different output message involving .sort → Differential Testing: Different output message involving .splice
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.