Closed Bug 1271850 Opened 9 years ago Closed 8 years ago

Differential Testing: Different output message involving length

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1027846

Tracking Flags:

Tracking

Status

firefox48

---

affected

firefox49

---

affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: testcase)

Attachments

(1 file)

testing patch 9 years ago Tooru Fujisawa [:arai] 2.45 KB, patch		Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

9 years ago

var x = new Uint8Array; var e1 = Set; var y = []; var t = Array.prototype.concat.apply(y, [x]); Set.toSource = function() { v = x.length; } print(uneval(Set)); gc(); x.__proto__ = y; Array.prototype.splice.apply(y, [, , 0]); var f = Set; print(uneval(this)); $ ./js-dbg-64-dm-clang-darwin-1579b9e2e50f --fuzzing-safe --no-threads --baseline-eager testcase.js /snip }, throwOutOfMemory:function throwOutOfMemory() { [native code] }, timeout:function timeout() { [native code] }, v:1, verifypostbarriers:function verifypostbarriers() { [native code] }, verifyprebarriers:function verifyprebarriers() { [native code] /snip $ ./js-dbg-64-dm-clang-darwin-1579b9e2e50f --fuzzing-safe --no-threads --ion-eager testcase.js /snip }, throwOutOfMemory:function throwOutOfMemory() { [native code] }, timeout:function timeout() { [native code] }, v:0, verifypostbarriers:function verifypostbarriers() { [native code] }, verifyprebarriers:function verifyprebarriers() { [native code] /snip Note the difference in the value of "v". Tested this on m-c rev 1579b9e2e50f. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 1579b9e2e50f autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/70e78d669f9d user: Tooru Fujisawa date: Fri Dec 18 17:02:27 2015 +0900 summary: Bug 1233642 - Part 2: Self-host Array.prototype.concat. r=efaust,bholley Arai-san, is bug 1233642 a likely regressor?

Flags: needinfo?(arai.unmht)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

9 years ago

Blocks: 1233642

status-firefox48: --- → affected

Tooru Fujisawa [:arai]

Comment 1

•

9 years ago

Attached patch testing patch — Details — Splinter Review

Underlying issue seems to be more old and different. Here's the testing patch, reduced testcase (without Array#concat), and the output. test code: var ToObject = getSelfHostedValue("ToObject"); function g(arg1) { var O = ToObject(this); var E = O; for (var i = 0; i < 2; i++) { E.length; E = arg1; } } var tarr = new Uint8Array; var arr = [1]; g.call(arr, tarr); function f() { print(tarr.length); } f(); tarr.__proto__ = arr; gc(); f(); f(); f(); f(); output for --no-threads --baseline-eager ComputeGetPropResult -- GetProperty: 1 ComputeGetPropResult -- GetProperty: 0 ComputeGetPropResult -- GetProperty: 0 0 ComputeGetPropResult -- GetProperty: 1 1 ComputeGetPropResult -- GetProperty: 1 1 ComputeGetPropResult -- GetProperty: 1 1 ComputeGetPropResult -- GetProperty: 1 1 output for --no-threads --ion-eager ComputeGetPropResult -- GetProperty: 1 ComputeGetPropResult -- GetProperty: 0 ComputeGetPropResult -- GetProperty: 0 0 GetPropertyIC::update -- GetProperty: 1 1 GenerateTypedArrayLength -- length: 0 0 GenerateTypedArrayLength -- length: 0 0 GenerateTypedArrayLength -- length: 0 0 The optimized code for TypedArray length is attached wronly after modifying `tarr.__proto__`. Maybe, the type check in GetPropertyIC::tryAttachTypedArrayLength is insufficient?

Flags: needinfo?(arai.unmht) → needinfo?(efaustbmo)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 2

•

9 years ago

Using the testcase in comment 1: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3a994e364343 user: Brian Hackett date: Sat Jun 13 07:54:06 2015 -0700 summary: Bug 1172943 - Use unboxed arrays for JSON and script literal arrays, r=jandem. Would bug 1172943 be a more likely regressor?

Jeff Walden [:Waldo]

Comment 3

•

9 years ago

This is just bug 1027846, then. Which hasn't been fixed because perf FUD about adding a shape-check to typed array length accesses. *stab*

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 4

•

9 years ago

I'm guessing this is now a dupe?

Summary: Differential Testing: Different output message involving Array.prototype → Differential Testing: Different output message involving length

Tooru Fujisawa [:arai]

Updated

•

8 years ago

Flags: needinfo?(efaustbmo)

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 5

•

8 years ago

Duping to bug 1027846 as per comment 3.

Status: NEW → RESOLVED

Closed: 8 years ago

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Differential Testing: Different output message involving length

Categories

(Core :: JavaScript Engine: JIT, defect)

Tracking

()

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: testcase)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Attachment

General

Description

File Name

Content Type