Closed Bug 1451984 Opened 7 years ago Closed 7 years ago

Differential Testing: Different output message involving Math.fround

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1451976
Tracking Flags:
Tracking Status
firefox61 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase, Whiteboard: [fuzzblocker])

setJitCompilerOption("ion.forceinlineCaches", 1); function f(x) { print(Math.pow(Math.fround(Math.fround()), ~(x >>> 0))); } f(-1); f(-1); f(-1); f(-1); $ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --ion-eager testcase.js 1 1 1 NaN $ $ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js 1 1 1 1 $ Tested this on m-c rev 7b40283bf1c7. My configure flags are: CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u -m funfuzz.js.compile_shell -b "--enable-more-deterministic --enable-debug --32" -r 7b40283bf1c7 This may be related to bug 1451976? Setting s-s as a start since bug 1451976 is also s-s. Setting needinfo? from Jan too.
Flags: needinfo?(jdemooij)
function g(f, x) { for (var j = 0; j < 3; ++j) { for (var k = 0; k < 2; ++k) { print(f(x[j], x[k])); } } } function f(x, y) { return Math.pow(Math.fround(Math.fround()), ~y) } g(f, [Object]); g(f, [0, Number.MAX_SAFE_INTEGER]); Here's a testcase that does not require forceinlineCaches. $ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --ion-eager testcase.js NaN NaN NaN NaN NaN NaN NaN 1 NaN 1 NaN NaN $ $ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js NaN NaN NaN NaN NaN NaN NaN 1 NaN 1 NaN 1 $ Note that the last value is different = "NaN" vs "1".
Summary: Differential Testing: Different output message involving Math.fround and ion.forceinlineCaches → Differential Testing: Different output message involving Math.fround
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e7b45cdbc1a5 user: Matthew Gaudet date: Wed Feb 07 14:22:48 2018 -0500 summary: Bug 1434717: Part 6: Implement UnaryArith IC for doubles r=tcampbell Probably a dupe of bug 1451976? If so, please also land the testcases here. Likewise, this blocks fuzzing with compare_jit.
Blocks: 1434717
Flags: needinfo?(jdemooij) → needinfo?(mgaudet)
Whiteboard: [fuzzblocker]
This can be duped to bug 1451976 (and unmarked s-s)
Flags: needinfo?(mgaudet)
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.