Closed Bug 1528597 Opened 6 years ago Closed 6 years ago

Differential Testing: Different output message involving IonMonkey on ARM64

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase, Whiteboard: [fuzzblocker][arm64:m3])

Attachments

(1 file)

Bug 1528597 - ARM64: Fix CodeGenerator::visiShiftI Ursh case doing more than other architecture and baseline.
47 bytes, text/x-phabricator-request
Details | Review 
setJitCompilerOption('ion.enable', 1);
function f(x, y) {
    return (x >>> x % Math.cosh(y))
}
function g(f, x) {
    for (let i = 0; i < 2; ++i)
        print(f(x[i], x[0]))
}
g(f, [2147483649, -2147483648]);

$ ./js-dbg-64-dm-linux-aarch64-bf8ca7933ead --fuzzing-safe --ion-offthread-compile=off --ion-eager testcase.js
1073741824
-2147483648

$ ./js-dbg-64-dm-linux-aarch64-bf8ca7933ead --fuzzing-safe --ion-offthread-compile=off --baseline-eager --no-ion testcase.js
1073741824
2147483648

Tested this on m-c rev bf8ca7933ead. This seems specific to ARM64, at least on native ARM64 EC2 systems. ARM64 simulator binaries on x86_64 also seem to be affected.

My configure flags are:

AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift

python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic" -r bf8ca7933ead

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/2b3012fa3cbf
user: Sean Stangl
date: Tue Feb 12 22:50:27 2019 +0000
summary: Bug 1523015 - Summary: Enable Ion on ARM64, but disable in-browser by pref. r=nbp

Sean, this is IonMonkey on ARM64, setting needinfo? from you as a start.

Flags: needinfo?(sstangl)
Whiteboard: [arm64:m3]
Blocks: arm64-js-fuzz-bugs

I'd like to elevate this to [fuzzblocker] status, it's quite prevalent throughout ARM64 testing on compare_jit.

Whiteboard: [arm64:m3] → [fuzzblocker][arm64:m3]
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(sstangl)
Attachment #9047096 - Attachment description: Bug 1528597 - Arm64: Fix CodeGenerator::visiShiftI Ursh case doing more than other architecture and baseline. → Bug 1528597 - ARM64: Fix CodeGenerator::visiShiftI Ursh case doing more than other architecture and baseline.
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e4bda8b288b3 ARM64: Fix CodeGenerator::visiShiftI Ursh case doing more than other architecture and baseline. r=sstangl

https://hg.mozilla.org/mozilla-central/rev/e4bda8b288b3

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: