Differential Testing: Different output message involving sourceIsLazy

RESOLVED INVALID

Status

()

Core
JavaScript Engine: JIT
--
major
RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {testcase})

Trunk
x86_64
All
testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 affected)

Details

(Reporter)

Description

2 years ago
try {
    evaluate("\
        g = (function(stdlib, foreign, heap) {\
            \"use asm\";\
            var ff = foreign.ff;\
            function f() {}\
            return f;\
        })(this, {}, new ArrayBuffer(4096));\
    ", ({
        sourceIsLazy: true,
    }));
} catch (e) {};
try {
    print(g);
} catch (e) {}


$ ./js-dbg-64-dm-clang-darwin-94c926911767 --fuzzing-safe --no-threads --ion-eager testcase.js

$ ./js-dbg-64-dm-clang-darwin-94c926911767 --fuzzing-safe --no-threads --ion-eager --no-asmjs testcase.js
function f() {
    [sourceless code]
}

Tested this on m-c rev 94c926911767.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 94c926911767

autoBisect is running.
(Reporter)

Comment 1

2 years ago
For more clarity:

try {
    evaluate("\
        g = (function(stdlib, foreign, heap) {\
            \"use asm\";\
            var ff = foreign.ff;\
            function f() {}\
            return f;\
        })(this, {}, new ArrayBuffer(4096));\
    ", ({
        sourceIsLazy: true,
    }));
} catch (e) {
    print(e);
};
try {
    print(g);
} catch (e) {
    print(e);
}


$ ./js-dbg-64-dm-clang-darwin-94c926911767 --fuzzing-safe --no-threads --ion-eager testcase.js
Error: asm.js link failure with source discarding enabled
ReferenceError: g is not defined

$ ./js-dbg-64-dm-clang-darwin-94c926911767 --fuzzing-safe --no-threads --ion-eager --no-asmjs testcase.js
function f() {
    [sourceless code]
}

autoBisect shows this is probably related to the following changeset:

changeset:   https://hg.mozilla.org/mozilla-central/rev/0ca7d93c1c39
user:        Luke Wagner
date:        Tue Apr 07 09:59:11 2015 -0500
summary:     Bug 1148963 - OdinMonkey: throw if link-time failure and discardSource = true (r=bbouvier)

Luke, is bug 1148963 a likely regressor?

We compiled the parent, which is f71ce89bbfce, of this m-c rev 0ca7d93c1c39, and the parent crashes.

Thus, m-c rev 0ca7d93c1c39 seemed to turn this testcase into an output mismatch.
Blocks: 1148963
Flags: needinfo?(luke)

Comment 2

2 years ago
That is indeed the intention, and in the comment:
  https://hg.mozilla.org/mozilla-central/rev/0ca7d93c1c39#l1.12
sourceIsLazy:true is never set for content, so I think this is just a flag that shouldn't be set for differential testing.
Flags: needinfo?(luke)
(Reporter)

Comment 3

2 years ago
I made the ignore permanent in:

https://github.com/MozillaSecurity/funfuzz/commit/1a5c00ebab45ef05abdc9915b7d79eba75a9927f

Resolving INVALID. Thanks!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.