Differential Testing: Different output message involving evalcx
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | unaffected |
| firefox73 | --- | wontfix |
| firefox74 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: regression, testcase)
Attachments
(1 file)
try {
x = new Uint8ClampedArray;
x.byteOffset;
evalcx("let x = x.subarray(1);", this);
} catch (e) {
print(e);
}
$ ./js-dbg-64-dm-linux-x86_64-930ad6def3c7 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
ReferenceError: can't access lexical declaration `x' before initialization
$
$ ./js-dbg-64-dm-linux-x86_64-930ad6def3c7 --fuzzing-safe --no-threads --ion-eager testcase.js
$
Tested this on m-c rev 930ad6def3c7.
My configure flags are:
AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/a49a644cc220
user: Jan de Mooij
date: Fri Dec 13 19:24:56 2019 +0000
summary: Bug 1603373 part 4 - Remove ambiguous TypeSet::PrimitiveType(ValueType) method. r=iain,tcampbell
Jan, is bug 1603373 a likely regressor?
|
Reporter | |
Comment 1•5 years ago
|
||
try {
x = [];
x[0];
evalcx("let x = x.subarray(1);", this);
} catch (e) {
print(e);
}
$ ./js-dbg-64-dm-linux-x86_64-930ad6def3c7 --fuzzing-safe --no-threads --baseline-eager --no-ion testcase.js
ReferenceError: can't access lexical declaration `x' before initialization
$ ./js-dbg-64-dm-linux-x86_64-930ad6def3c7 --fuzzing-safe --no-threads --ion-eager testcase.js
TypeError: undefined is not a function
Actually, subarray seems more related.
|
|
Reporter | |
Comment 2•5 years ago
|
||
Here's another testcase without subarray, so evalcx may be another possible culprit.
try {
evalcx("let c = x = 5, x;", this);
} catch (e) {
print(e);
}
|
Assignee | |
Comment 3•5 years ago
•
|
||
Good find.
The script has a DEFLET x and SETGNAME x. When IonBuilder compiles the SETGNAME, the property does not exist yet on the lexical environment, so in testGlobalLexicalBinding it attaches a constraint and then assumes it's on the global.
Before bug 1603373, DEFLET/DefLexicalOperation would then add a magic type for the property and we'd invalidate. Now we ignore magic types for HeapTypeSets and we don't invalidate.
I'm not sure what the best fix is. The old behavior was bad and confusing (it would end up treating the TDZ magic value as TYPE_FLAG_LAZYARGS) and it's nice to not have magic types in HeapTypeSets.
|
|
Assignee | |
Comment 4•5 years ago
|
||
I have a patch for this but I want to land bug 1605066 first to simplify the environment object + TI situation.
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 5•5 years ago
|
||
Since bug 1603373 we no longer store magic types in HeapTypeSets. This broke an
Ion optimization because it uses constraints to guard a property does not exist
on the global lexical environment. This patch explicitly fires the constraint
when defining an uninitialized global lexical.
I was unable to write a test for this that doesn't require --ion-eager.
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•5 years ago
|
||
Is there a user impact here which justifies uplift consideration or can this fix ride Fx74 to release?
|
|
Assignee | |
Comment 10•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #9)
Is there a user impact here which justifies uplift consideration or can this fix ride Fx74 to release?
It's an edge case that's --ion-eager specific I think so I don't think we need to uplift.
Description
•