Closed
Bug 1277118
Opened 8 years ago
Closed 8 years ago
Differential Testing: Different output message involving typed arrays and ArrayBuffer
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1245627
Tracking | Status | |
---|---|---|
firefox49 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: testcase)
(function() { for (var i = 0; i < 2; ++i) { var x = new ArrayBuffer(16); var y = new Float32Array(x); y[0] = 0 / 0; var z = new Float64Array(x); print(z[0]); } })(); $ ./js-dbg-64-dm-clang-darwin-864cdd00360c --fuzzing-safe --no-threads --baseline-eager testcase.js 1.058925634e-314 2.1199235295e-314 $ ./js-dbg-64-dm-clang-darwin-864cdd00360c --fuzzing-safe --no-threads --ion-eager testcase.js 1.058925634e-314 1.058925634e-314 Tested this on m-c rev 864cdd00360c. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 864cdd00360c autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5834d0b43de6 user: Sean Stangl date: Fri Dec 19 14:48:17 2014 -0800 summary: Bug 1113378 - Part 1/2 - Always fully parse IIFEs. r=Waldo Sean, is bug 1113378 a likely regressor? Setting s-s because typed arrays are involved.
Flags: needinfo?(sstangl)
Reporter | ||
Updated•8 years ago
|
Summary: Differential Testing: Different output message involving typed arrays → Differential Testing: Different output message involving typed arrays and ArrayBuffer
Comment 1•8 years ago
|
||
Totally unrelated. This is probably bug 1245627.
Comment 2•8 years ago
|
||
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #1) > Totally unrelated. This is probably bug 1245627. Roger that. Tested with a deterministic build locally, can't reproduce. Note the test case is almost the same as in bug 1245627 and the other dup. I don't know if it already exists, or even if it's feasible without too many false positives, but do fuzzers have a way to group together test cases that are very similar? Anyway, closing as dup.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(sstangl)
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•8 years ago
|
||
> but do fuzzers have a way to group together test cases that
> are very similar?
Yup, though it wasn't clear initially that the testcases were identical, since the bisection result probably threw us off.
Opening up.
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•