Differential Testing: Different output message involving __proto__
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
(Regression)
Details
(Keywords: regression, testcase)
x = [];
x.unshift(0, 1);
y = [];
relazifyFunctions();
y[3] = [];
y.__proto__ = x;
for (let i = 0; i < 2; ++i) {
y.shift();
}
print(y);
$ ./js-dbg-64-dm-linux-x86_64-90234f4c094d --fuzzing-safe --ion-offthread-compile=off --ion-eager testcase.js
0,
$ ./js-dbg-64-dm-linux-x86_64-90234f4c094d --fuzzing-safe --ion-offthread-compile=off --no-baseline --no-ion testcase.js
1,
Tested this on m-c rev 90234f4c094d.
My configure flags are:
AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift
python3 -u -m funfuzz.js.compile_shell -b "--enable-debug --enable-more-deterministic" -r 90234f4c094d
I'm setting this as s-s because this is yet another __proto__ issue found after the pwn2own tweaks were made, to be safe.
|
Reporter | |
Comment 1•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b6315d186b4b
user: Jan de Mooij
date: Tue May 02 14:26:44 2017 +0200
summary: Bug 1357680 part 3 - Don't mark the new group as having unknown properties when changing an object's proto. r=bhackett
Jan, is bug 1357680 a likely regressor?
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
This is the same issue as bug 1544386 (patch for that one fixes this too).
Gary, please keep doing differential testing :)
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
Description
•