Closed Bug 1383591 Opened 7 years ago Closed 7 years ago

Differential Testing: Different output message involving "use strict"

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
All
defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox56 --- fixed

People

(Reporter: gkw, Assigned: jandem)

Details

(Keywords: testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

(function () {
    function f(x) {
        "use strict";
        if (x) {
            Object.seal(this);
        }
        this[0] = 1;
    }
    for (var y of [1, 0, arguments, 1]) {
        try {
            new f(y);
        } catch (e) {
            print(e);
        }
    }
})()

$ ./js-dbg-64-dm-linux-5928d905c0bc --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
TypeError: can't define property 0: Object is not extensible
TypeError: can't define property 0: Object is not extensible
TypeError: can't define property 0: Object is not extensible

$ ./js-dbg-64-dm-linux-5928d905c0bc --fuzzing-safe --no-threads --ion-eager testcase.js
TypeError: can't define property 0: Object is not extensible
TypeError: can't define property 0: Object is not extensible

Tested this on m-c rev 5928d905c0bc.

My configure flags are:

AR=ar sh /home/ubuntu/trees/mozilla-central/js/src/configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 5928d905c0bc

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d2f850fe57e1
user:        Jan de Mooij
date:        Fri Oct 28 12:08:29 2016 +0200
summary:     Bug 1313064 - Fix SETELEM check in SetObjectElementOperation to check for the strict version too. r=anba

Jan, is bug 1313064 a likely regressor?

Setting [fuzzblocker] because this seems related to "use strict" and "use strict" differential testing bugs can usually have different causes.
Flags: needinfo?(jdemooij)
Flags: needinfo?(andrebargull)
Whiteboard: [fuzzblocker]
Whoops, only meant to ni? Jan for now.
Flags: needinfo?(andrebargull)
Attached patch PatchSplinter Review
The setelem OOL path was using current->mir()->strict() but that doesn't always work for OOL paths of course as current is the last block.

This patch sets |current| to nullptr before we generate OOL code, to prevent this kind of bug from happening in the future.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8889411 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8889411 [details] [diff] [review]
Patch

Review of attachment 8889411 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch!
Attachment #8889411 - Flags: review?(nicolas.b.pierron) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2bb6be91be39
Don't use |current| block in OutOfLineStoreElementHole code. r=nbp
The actual bug predates bug 1313064, it's a very old one I think.
No longer blocks: 1313064
https://hg.mozilla.org/mozilla-central/rev/2bb6be91be39
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.