Differential Testing: Different output message involving IonMonkey on ARM64 and Math.round

RESOLVED FIXED in Firefox 67

Status

()

defect
P1
major
RESOLVED FIXED
2 months ago
a month ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks 3 bugs, {testcase})

Trunk
mozilla67
ARM64
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 fixed)

Details

(Whiteboard: [fuzzblocker], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 months ago
function f() {}
function g(x) {
    return (x >> 0) + Math.imul(+f(), Math.round(1));
}
for (let i = 0; i < 2; ++i) {
    print(g());
}

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
0
0

$ ./js-dbg-64-dm-armsim64-linux-x86_64-aecb76a0cd77 --fuzzing-safe --no-threads --ion-eager testcase.js
0
-13

Tested this on m-c rev aecb76a0cd77.

My configure flags are:

AR=ar sh ./configure --enable-simulator=arm64 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift
python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic --enable-simulator=arm64" -r aecb76a0cd77

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/afb2e1e1665f
user: Sean Stangl
date: Thu Mar 07 03:57:23 2019 +0000
summary: Bug 1528869 - Enable IonMonkey in the ARM64 shell, but keep it disabled in the browser. r=nbp

Setting needinfo? from Sean and Nicolas since this is IonMonkey on ARM64. Also setting [fuzzblocker] because this is hard to differentiate from the other fuzzblocking compare_jit issues.

Flags: needinfo?(sstangl)
Flags: needinfo?(nicolas.b.pierron)
(Assignee)

Updated

2 months ago
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
(Assignee)

Comment 1

2 months ago

I can reproduce this issue. I will investigate.

Flags: needinfo?(sstangl)
(Assignee)

Updated

2 months ago
Priority: -- → P1
(Assignee)

Comment 3

2 months ago

The problem here is that the code got copied from x86-shared, which is lowered with defineReuseInput, however this is not the case on arm64 and we missed a register copy in case the registers are different.

(Assignee)

Updated

2 months ago
Duplicate of this bug: 1534779

Comment 5

2 months ago
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/425b8e0eb6d6
ARM64: LMulI should copy registers when multiplying by 1. r=sstangl

Comment 6

2 months ago
bugherder
Status: ASSIGNED → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
(Assignee)

Updated

2 months ago
Duplicate of this bug: 1534834
(Assignee)

Updated

2 months ago
Duplicate of this bug: 1529920
(Assignee)

Updated

2 months ago
Duplicate of this bug: 1532405
(Assignee)

Updated

2 months ago
Duplicate of this bug: 1531054
(Assignee)

Updated

a month ago
Duplicate of this bug: 1534484
(Assignee)

Updated

a month ago
Duplicate of this bug: 1535901
(Assignee)

Updated

a month ago
Duplicate of this bug: 1530535
Crash Signature: [@ JSObject::getClass]
You need to log in before you can comment on or make changes to this bug.