Differential Testing: Different output message involving Object.freeze

RESOLVED FIXED in Firefox 53

Status

()

Core
JavaScript Engine: JIT
P1
major
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {testcase})

Trunk
mozilla53
x86_64
All
testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 fixed)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
(function() {
    "use strict";
    for (let z of [0, [1], 0]) {
        try {
            Object.freeze(z);
            for (var h in z) {};
            z[1] = 0;
        } catch (e) {
            print(e);
        }
    }
}());

$ ./js-dbg-64-dm-clang-darwin-8f1e42069983 --fuzzing-safe --no-threads --ion-eager testcase.js
TypeError: can't assign to properties of (new Number(0)): not an object
TypeError: 1 is read-only
TypeError: can't assign to properties of (new Number(0)): not an object

$ ./js-dbg-64-dm-clang-darwin-8f1e42069983 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
TypeError: can't assign to properties of (new Number(0)): not an object
TypeError: can't define array index property past the end of an array with non-writable length
TypeError: can't assign to properties of (new Number(0)): not an object
$


Tested this on m-c rev 8f1e42069983.

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 8f1e42069983

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/26e6632de510
user:        Leo Gaspard
date:        Thu Aug 25 16:28:31 2016 -0700
summary:     Bug 1283334 - Part 3: Do not sparsify dense arrays when freezing - Ion. r=nbp 

Jan, you last fixed bug 1314545 and bug 1317943 (which might be related), is bug 1283334 a likely regressor?
Flags: needinfo?(jdemooij)
(Assignee)

Comment 1

a year ago
Created attachment 8817538 [details] [diff] [review]
Patch

There are at least 3 different error messages we can throw for |frozenObject[x] = y| in strict mode. This patch changes ThrowReadOnlyError to call SetProperty to make sure we behave exactly the same as the interpreter. A bit lame but I can't think of a simpler fix.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8817538 - Flags: review?(nicolas.b.pierron)
Attachment #8817538 - Flags: review?(nicolas.b.pierron) → review+
(Reporter)

Comment 2

a year ago
Jan, what might be next here?
Flags: needinfo?(jdemooij)
(Assignee)

Comment 3

a year ago
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Jan, what might be next here?

I have to Try-server and land this, working on it...

Comment 4

a year ago
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7aef8faa6666
Fix ThrowReadOnlyError to match the error message we would throw in the VM. r=nbp
(Assignee)

Updated

a year ago
Flags: needinfo?(jdemooij)

Comment 5

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/7aef8faa6666
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.