Closed
Bug 1476417
Opened 6 years ago
Closed 6 years ago
Differential Testing: Different output message involving arguments
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox63 | --- | fixed |
People
(Reporter: gkw, Assigned: anba)
References
Details
(Keywords: testcase)
Attachments
(1 file)
2.53 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
function f(x) { return (Math, arguments = 9999 * (x -= 1)); } x = [0, 0, 524288]; for (var j = 0; j < 3; ++j) { print(f(x[j])); } $ ./js-dbg-64-dm-linux-547144f5596c --fuzzing-safe --no-threads --ion-eager testcase.js -9999 -9999 5242335714 $ ./js-dbg-64-dm-linux-547144f5596c --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js -9999 -9999 5242345713 Tested this on m-c rev 547144f5596c. My configure flags are: 'AR=ar' 'sh' '/home/ubuntu/trees/mozilla-central/js/src/configure' '--enable-debug' '--enable-more-deterministic' '--with-ccache' '--enable-gczeal' '--enable-debug-symbols' '--disable-tests' python -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic" -r 547144f5596c autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1832a6e47f1c user: Tom Schuster date: Fri Dec 30 17:38:08 2016 +0100 summary: Bug 1324566 - Port Baseline GlobalNameAccessor to CacheIR. r=jandem Tom, is bug 1324566 a likely regressor?
Flags: needinfo?(evilpies)
Comment 1•6 years ago
|
||
I don't think so, no GlobalNameGetter is attached while running this. Maybe Matthew can take a look, he has been working on CacheIR the most recently.
Flags: needinfo?(evilpies) → needinfo?(mgaudet)
Comment 2•6 years ago
|
||
It's definitely not a CacheIR problem: I see the same behaviour with --cache-ir-stubs=off Gary: Is it possible to re-do the regression search with that option set? (Just wondering if it might find a more interesting regressor, or if the bisect will double-down on that bug)
Flags: needinfo?(mgaudet) → needinfo?(nth10sd)
Assignee | ||
Comment 3•6 years ago
|
||
Here's my guess what happens: --- function f(x) { arguments; // <-- Force creation of mapped arguments, so modifying |x| writes to memory. Math; // <-- We resume from here after the int32 overflow in the multiplication. (Access to global variables creates a resume point.) var y; x += 1; // <-- Is executed twice because the resume point is before the addition. y = 2 * x; // <-- Triggers bailout when overflowing int32 boundaries. print(x, y); // Should print "1073741824 2147483648" in the 3rd iteration, but actually prints "1073741825 2147483650". } x = [0, 0, 0x3FFFFFFF]; for (var j = 0; j < 3; ++j) { f(x[j]); } ---
Assignee | ||
Comment 4•6 years ago
|
||
This patch does fix the issue, but I have no idea if that's the correct solution here: diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp --- a/js/src/jit/IonBuilder.cpp +++ b/js/src/jit/IonBuilder.cpp @@ -12252,18 +12252,20 @@ IonBuilder::jsop_setarg(uint32_t arg) script()->baselineScript()->modifiesArguments()); MDefinition* val = current->peek(-1); // If an arguments object is in use, and it aliases formals, then all SETARGs // must go through the arguments object. if (info().argsObjAliasesFormals()) { if (needsPostBarrier(val)) current->add(MPostWriteBarrier::New(alloc(), current->argumentsObject(), val)); - current->add(MSetArgumentsObjectArg::New(alloc(), current->argumentsObject(), - GET_ARGNO(pc), val)); + auto* ins = MSetArgumentsObjectArg::New(alloc(), current->argumentsObject(), + GET_ARGNO(pc), val); + current->add(ins); + MOZ_TRY(resumeAfter(ins)); return Ok(); } // :TODO: if hasArguments() is true, and the script has a JSOP_SETARG, then // convert all arg accesses to go through the arguments object. (see Bug 957475) if (info().hasArguments()) return abort(AbortReason::Disable, "NYI: arguments & setarg.");
Reporter | ||
Comment 5•6 years ago
|
||
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #2) > Gary: Is it possible to re-do the regression search with that option set? > (Just wondering if it might find a more interesting regressor, or if the > bisect will double-down on that bug) I'm not sure if a new bisect would help. If CacheIR isn't involved, then something else is. Passing the baton to Jan as a start, esp regarding Andre's comment 4.
Flags: needinfo?(nth10sd) → needinfo?(jdemooij)
Comment 6•6 years ago
|
||
Very old bug, nice find. André's fix is the right one, effectful instructions like MSetArgumentsObjectArg need a resume point. We've tried to assert this in the past but IIRC it's complicated. anba, want to finish this?
Flags: needinfo?(jdemooij) → needinfo?(andrebargull)
Assignee | ||
Comment 7•6 years ago
|
||
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
Attachment #8994830 -
Flags: review?(jdemooij)
Comment 8•6 years ago
|
||
Comment on attachment 8994830 [details] [diff] [review] bug1476417.patch Review of attachment 8994830 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8994830 -
Flags: review?(jdemooij) → review+
Comment 9•6 years ago
|
||
André, should we land this patch on your behalf?
Flags: needinfo?(andrebargull)
Assignee | ||
Comment 10•6 years ago
|
||
Oh, I just forgot to request check-in for this one. I'll spin a try-build for this patch and when it's successful, I'll set the checkin-needed flag.
Assignee | ||
Comment 11•6 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=5dafa3f50d04bf9bc793cab64e8caf4653b907dc
Flags: needinfo?(andrebargull)
Keywords: checkin-needed
Comment 12•6 years ago
|
||
Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3db99794bc30 Add a resume point after assigning to a mapped argument. r=jandem
Keywords: checkin-needed
Comment 13•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3db99794bc30
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in
before you can comment on or make changes to this bug.
Description
•