Closed
Bug 1304649
Opened 8 years ago
Closed 8 years ago
Differential Testing: Different output message involving the parser
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: testcase)
Attachments
(1 file)
|
1.97 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
gczeal(4)
function f3() {}
function f2() {
s = []
for (var k = 0; k < 9; ++k) {
print(f3(uneval(s)))
}
}
try {
try {
(function() {
function f1() {}
f2(f1)
})()
} catch (e) {}
try {
m
} catch (e) {}
s = ""
print(h)
} catch (e) {}
try {
a
} catch (e) {}
try {
v(")")
} catch (e) {}
try {
v = this.o.t()
} catch (e) {}
try {
print(c)
let c
} catch (e) {}
$ ./js-dbg-64-dm-clang-darwin-560b2c805bf7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined
$ ./js-dbg-64-dm-clang-darwin-560b2c805bf7 --fuzzing-safe --no-threads --ion-eager testcase.js
undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined
undefined
Tested this on m-c rev 560b2c805bf7.
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 560b2c805bf7
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user: Shu-yu Guo
date: Thu Aug 25 01:28:47 2016 -0700
summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)
changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user: Shu-yu Guo
date: Thu Aug 25 01:28:47 2016 -0700
summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn)
Note that the difference in output involve the number of times "undefined" was printed, i.e. 10x vs 9x
Shu-yu, is bug 1263355 a likely regressor?
Flags: needinfo?(shu)
|
Reporter | |
Comment 1•8 years ago
|
||
Preferably this should also be backported to mozilla-aurora...
|
||
Comment 2•8 years ago
|
||
The bug is this: when marking Interpreter frames, JSScript::calculateLiveFixed
is used and dead fixed slots on the frame are set to 'undefined'. The verify
prebarriers zeal setting was triggering Interpreter frames to be marked right
after frame slots were put into TDZ. Since the TDZ opcodes were outside of the
extent of the lexical scope according to scope note, the slot that was just put
into TDZ was considered dead and set to 'undefined'.
Attachment #8793981 -
Flags: review?(sphink)
|
|
||
Updated•8 years ago
|
Flags: needinfo?(shu)
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8793981 [details] [diff] [review]
Fix scope notes for lexical scopes.
Review of attachment 8793981 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks to patient lessons from shu on IRC, I am finally able to grasp what is going on here.
Attachment #8793981 -
Flags: review?(sphink) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/51e9c4c3a8ee
Fix scope notes for lexical scopes. (r=sfink)
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
You need to log in
before you can comment on or make changes to this bug.
Description
•