1455954 - Differential Testing: Different output message involving regex

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    var count = 0;
    ((function f(x) {
        var r = /\2/;
        if (r.exec("") == null) {
            count++;
        }
        if (count > 4000 && count < 4100) {
            print(count);
        }
        if (x == 0) {;
            return null;
        };
        return f(x - 1);
    })(5000));
} catch (e) {}

$ ./js-32-dm-linux-8d4cf28964f6 --fuzzing-safe --no-threads --ion-eager testcase.js 
/snip
4095
4096
4097
4098
4099
$

$ ./js-32-dm-linux-8d4cf28964f6 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
/snip
4020
4021
4022
4023
4024
$

or when run again:

/snip
4025
4026
4027
4028
4029
ReportOverRecursed called
$

or when run a third time (thus inconsistent results):

/snip
4021
4022
4023
4024
4025
4026
$

Tested this on m-c rev 8d4cf28964f6.

My configure flags are:

CC="gcc -m32 -msse2 -mfpmath=sse" CXX="g++ -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh ./configure --target=i686-pc-linux --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u -m funfuzz.js.compile_shell -b "--32 --enable-more-deterministic" -r 8d4cf28964f6

$ gcc --version
gcc (Ubuntu/Linaro 6.3.0-18ubuntu2~16.04) 6.3.0 20170519

This happened on Ubuntu Linux 16.04.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7a682f7ab2f5
user:        Jan de Mooij
date:        Fri Mar 23 15:55:38 2018 +0100
summary:     Bug 1447996 - Don't GC when hitting overrecursion in RegExpCompiler; make the static analysis detect this. r=sfink

Setting s-s to be safe as bug 1447996 was initially filed as s-s. However, I think that this might not need to be (might just be some overrecursion thing), but I'll let Jan decide.

Jan, is bug 1447996 a likely regressor?

Comment 1

[Jan de Mooij [:jandem]]

Yeah, this looks harmless, we likely need to print "ReportOverRecursed called" in RegExpCompiler::CheckOverRecursed in more-deterministic builds, before we call SetRegExpTooBig(). I'll take a closer look tomorrow.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    (function f(x) {
        if (x > 0) r = RegExp("^.{")
        s = print("".match(r));
        f(x);
        a = {}
    })(99)
} catch {}


This prints "null" multiple times, but the number of times it is printed is different.

$ ./js-64-dm-linux-b1628ac71fcc --fuzzing-safe --no-threads --baseline-eager --no-ion 2870117.js > out.txt
$ wc -l out.txt 
6468 out.txt

$ ./js-64-dm-linux-b1628ac71fcc --fuzzing-safe --baseline-eager --no-ion 2870117.js > out2.txt
$ wc -l out2.txt 
6473 out2.txt

Tested on 64-bit opt deterministic builds on m-c rev b1628ac71fcc.

I'm guessing this is the same issue, so merely posting here.

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Patch

Gary, sorry for the delay.

This just prints the overrecursed message to stderr in RegExpCompiler::CheckOverRecursed in more-deterministic builds.

Comment 4

[Steve Fink [:sfink] [:s:]]

Comment on attachment 8973965 [details] [diff] [review]
Patch

Review of attachment 8973965 [details] [diff] [review]:
-----------------------------------------------------------------

WFM

Comment 5

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/19b42c0e8916
Print to stderr in more-deterministic builds when irregexp overrecursion check fails. r=sfink

Comment 6

[Andrei Ciure[:aciure]]

https://hg.mozilla.org/mozilla-central/rev/19b42c0e8916