Closed
Bug 1271850
Opened 8 years ago
Closed 7 years ago
Differential Testing: Different output message involving length
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1027846
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: testcase)
Attachments
(1 file)
|
2.45 KB,
patch
|
Details | Diff | Splinter Review |
var x = new Uint8Array;
var e1 = Set;
var y = [];
var t = Array.prototype.concat.apply(y, [x]);
Set.toSource = function() {
v = x.length;
}
print(uneval(Set));
gc();
x.__proto__ = y;
Array.prototype.splice.apply(y, [, , 0]);
var f = Set;
print(uneval(this));
$ ./js-dbg-64-dm-clang-darwin-1579b9e2e50f --fuzzing-safe --no-threads --baseline-eager testcase.js
/snip
}, throwOutOfMemory:function throwOutOfMemory() {
[native code]
}, timeout:function timeout() {
[native code]
}, v:1, verifypostbarriers:function verifypostbarriers() {
[native code]
}, verifyprebarriers:function verifyprebarriers() {
[native code]
/snip
$ ./js-dbg-64-dm-clang-darwin-1579b9e2e50f --fuzzing-safe --no-threads --ion-eager testcase.js
/snip
}, throwOutOfMemory:function throwOutOfMemory() {
[native code]
}, timeout:function timeout() {
[native code]
}, v:0, verifypostbarriers:function verifypostbarriers() {
[native code]
}, verifyprebarriers:function verifyprebarriers() {
[native code]
/snip
Note the difference in the value of "v".
Tested this on m-c rev 1579b9e2e50f.
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 1579b9e2e50f
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/70e78d669f9d
user: Tooru Fujisawa
date: Fri Dec 18 17:02:27 2015 +0900
summary: Bug 1233642 - Part 2: Self-host Array.prototype.concat. r=efaust,bholley
Arai-san, is bug 1233642 a likely regressor?Flags: needinfo?(arai.unmht)
|
Reporter | |
Updated•8 years ago
|
Blocks: 1233642
status-firefox48:
--- → affected
|
||
Comment 1•8 years ago
|
||
Underlying issue seems to be more old and different.
Here's the testing patch, reduced testcase (without Array#concat), and the output.
test code:
var ToObject = getSelfHostedValue("ToObject");
function g(arg1) {
var O = ToObject(this);
var E = O;
for (var i = 0; i < 2; i++) {
E.length;
E = arg1;
}
}
var tarr = new Uint8Array;
var arr = [1];
g.call(arr, tarr);
function f() {
print(tarr.length);
}
f();
tarr.__proto__ = arr;
gc();
f();
f();
f();
f();
output for --no-threads --baseline-eager
ComputeGetPropResult -- GetProperty: 1
ComputeGetPropResult -- GetProperty: 0
ComputeGetPropResult -- GetProperty: 0
0
ComputeGetPropResult -- GetProperty: 1
1
ComputeGetPropResult -- GetProperty: 1
1
ComputeGetPropResult -- GetProperty: 1
1
ComputeGetPropResult -- GetProperty: 1
1
output for --no-threads --ion-eager
ComputeGetPropResult -- GetProperty: 1
ComputeGetPropResult -- GetProperty: 0
ComputeGetPropResult -- GetProperty: 0
0
GetPropertyIC::update -- GetProperty: 1
1
GenerateTypedArrayLength -- length: 0
0
GenerateTypedArrayLength -- length: 0
0
GenerateTypedArrayLength -- length: 0
0
The optimized code for TypedArray length is attached wronly after modifying `tarr.__proto__`.
Maybe, the type check in GetPropertyIC::tryAttachTypedArrayLength is insufficient?Flags: needinfo?(arai.unmht) → needinfo?(efaustbmo)
|
|
Reporter | |
Comment 2•8 years ago
|
||
Using the testcase in comment 1: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3a994e364343 user: Brian Hackett date: Sat Jun 13 07:54:06 2015 -0700 summary: Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem. Would bug 1172943 be a more likely regressor?
|
||
Comment 3•8 years ago
|
||
This is just bug 1027846, then. Which hasn't been fixed because perf FUD about adding a shape-check to typed array length accesses. *stab*
|
|
Reporter | |
Comment 4•8 years ago
|
||
I'm guessing this is now a dupe?
Summary: Differential Testing: Different output message involving Array.prototype → Differential Testing: Different output message involving length
|
|
||
Updated•8 years ago
|
Flags: needinfo?(efaustbmo)
|
|
Reporter | |
Comment 5•7 years ago
|
||
Duping to bug 1027846 as per comment 3.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•