Differential Testing: Different output message involving arguments

RESOLVED FIXED in Firefox 50

Status

()

Core
JavaScript Engine: JIT
--
major
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {testcase})

Trunk
mozilla50
x86_64
All
testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
function f() {
    x = arguments;
    delete x[1];
}
f(0, 1);
print(uneval(x));


$ ./js-dbg-64-dm-clang-darwin-14c5bf11d37b --fuzzing-safe --no-threads --ion-eager testcase.js
({0:0})

$ ./js-dbg-64-dm-clang-darwin-14c5bf11d37b --fuzzing-safe --no-threads --ion-eager --gc-zeal=14 testcase.js
({})

Tested this on m-c rev 14c5bf11d37b.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 14c5bf11d37b

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d6d4ed5fb7a3
user:        Jan de Mooij
date:        Sat Jun 11 14:59:03 2016 +0200
summary:     Bug 1272598 part 1 - Move ArgumentsObject deleted bits into a new RareArgumentsData class. r=luke

Jan, is bug 1272598 a likely regressor?
Flags: needinfo?(jdemooij)
(Assignee)

Comment 1

2 years ago
Created attachment 8762932 [details] [diff] [review]
Patch

We were not resetting the deletedBits_ pointer in ArgumentsObject::objectMovedDuringMinorGC.

This patches changes deletedBits_ from a pointer to an array (size_t deletedBits_[1]), so we don't have to reset anything when we clone the rare data.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8762932 - Flags: review?(luke)

Updated

2 years ago
Attachment #8762932 - Flags: review?(luke) → review+

Comment 2

2 years ago
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e15474388a5f
Refactor RareArgumentsData a bit so it behaves correctly on moving GC. r=luke

Updated

2 years ago
Duplicate of this bug: 1280950

Updated

2 years ago
Duplicate of this bug: 1280884

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/e15474388a5f
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.