Closed Bug 1451984 Opened 6 years ago Closed 6 years ago

Differential Testing: Different output message involving Math.fround

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1451976
Tracking Flags:
Tracking Status
firefox61 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase, Whiteboard: [fuzzblocker]) 

setJitCompilerOption("ion.forceinlineCaches", 1);
function f(x) {
    print(Math.pow(Math.fround(Math.fround()), ~(x >>> 0)));
}
f(-1);
f(-1);
f(-1);
f(-1);


$ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --ion-eager testcase.js
1
1
1
NaN
$

$ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js 
1
1
1
1
$

Tested this on m-c rev 7b40283bf1c7.

My configure flags are:

CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u -m funfuzz.js.compile_shell -b "--enable-more-deterministic --enable-debug --32" -r 7b40283bf1c7

This may be related to bug 1451976?

Setting s-s as a start since bug 1451976 is also s-s.

Setting needinfo? from Jan too.
Flags: needinfo?(jdemooij)
function g(f, x) {
    for (var j = 0; j < 3; ++j) {
        for (var k = 0; k < 2; ++k) {
            print(f(x[j], x[k]));
        }
    }
}
function f(x, y) {
    return Math.pow(Math.fround(Math.fround()), ~y)
}
g(f, [Object]);
g(f, [0, Number.MAX_SAFE_INTEGER]);


Here's a testcase that does not require forceinlineCaches.

$ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --ion-eager testcase.js
NaN
NaN
NaN
NaN
NaN
NaN
NaN
1
NaN
1
NaN
NaN
$

$ ./js-dbg-32-dm-linux-7b40283bf1c7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js
NaN
NaN
NaN
NaN
NaN
NaN
NaN
1
NaN
1
NaN
1
$

Note that the last value is different = "NaN" vs "1".
Summary: Differential Testing: Different output message involving Math.fround and ion.forceinlineCaches → Differential Testing: Different output message involving Math.fround
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e7b45cdbc1a5
user:        Matthew Gaudet
date:        Wed Feb 07 14:22:48 2018 -0500
summary:     Bug 1434717: Part 6: Implement UnaryArith IC for doubles r=tcampbell

Probably a dupe of bug 1451976? If so, please also land the testcases here.

Likewise, this blocks fuzzing with compare_jit.
Blocks: 1434717
Flags: needinfo?(jdemooij) → needinfo?(mgaudet)
Whiteboard: [fuzzblocker]
This can be duped to  bug 1451976 (and unmarked s-s)
Flags: needinfo?(mgaudet)
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.