Differential Testing: Different output message involving IonMonkey on ARM64 and --ion-gvn=off
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox67 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: testcase, Whiteboard: [fuzzblocker])
function f(x, y) {
+(Math < y) >>> 0 && x([]);
}
for (let i = 0; i < 3; ++i) {
try {
f();
} catch (e) {
print(e);
}
}
$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --ion-eager --ion-gvn=off testcase.js
TypeError: undefined is not a function
$
$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --ion-eager testcase.js
$
Tested this on m-c rev aecb76a0cd77.
My configure flags are:
AR=ar sh ./configure --enable-simulator=arm64 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift
python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic --enable-simulator=arm64" -r aecb76a0cd77
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/afb2e1e1665f
user: Sean Stangl
date: Thu Mar 07 03:57:23 2019 +0000
summary: Bug 1528869 - Enable IonMonkey in the ARM64 shell, but keep it disabled in the browser. r=nbp
Setting needinfo? from Sean and Nicolas since this is IonMonkey on ARM64. Also setting [fuzzblocker] because this completely blocks compare_jit fuzzing with --ion-gvn=off.
|
||
Comment 1•5 years ago
|
||
I am able to reproduce this, and this is fixed by the fix attached in Bug 1534810.
Description
•