Closed
Bug 1277118
Opened 8 years ago
Closed 8 years ago
Differential Testing: Different output message involving typed arrays and ArrayBuffer
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1245627
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: testcase)
(function() {
for (var i = 0; i < 2; ++i) {
var x = new ArrayBuffer(16);
var y = new Float32Array(x);
y[0] = 0 / 0;
var z = new Float64Array(x);
print(z[0]);
}
})();
$ ./js-dbg-64-dm-clang-darwin-864cdd00360c --fuzzing-safe --no-threads --baseline-eager testcase.js
1.058925634e-314
2.1199235295e-314
$ ./js-dbg-64-dm-clang-darwin-864cdd00360c --fuzzing-safe --no-threads --ion-eager testcase.js
1.058925634e-314
1.058925634e-314
Tested this on m-c rev 864cdd00360c.
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 864cdd00360c
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5834d0b43de6
user: Sean Stangl
date: Fri Dec 19 14:48:17 2014 -0800
summary: Bug 1113378 - Part 1/2 - Always fully parse IIFEs. r=Waldo
Sean, is bug 1113378 a likely regressor?
Setting s-s because typed arrays are involved.Flags: needinfo?(sstangl)
|
Reporter | |
Updated•8 years ago
|
Summary: Differential Testing: Different output message involving typed arrays → Differential Testing: Different output message involving typed arrays and ArrayBuffer
|
||
Comment 1•8 years ago
|
||
Totally unrelated. This is probably bug 1245627.
|
||
Comment 2•8 years ago
|
||
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #1) > Totally unrelated. This is probably bug 1245627. Roger that. Tested with a deterministic build locally, can't reproduce. Note the test case is almost the same as in bug 1245627 and the other dup. I don't know if it already exists, or even if it's feasible without too many false positives, but do fuzzers have a way to group together test cases that are very similar? Anyway, closing as dup.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(sstangl)
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 3•8 years ago
|
||
> but do fuzzers have a way to group together test cases that
> are very similar?
Yup, though it wasn't clear initially that the testcases were identical, since the bisection result probably threw us off.
Opening up.Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•