Closed
Bug 1774794
Opened 3 years ago
Closed 3 years ago
Differential Testing: Different output message involving with ...argument
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1751660
People
(Reporter: exploit, Unassigned)
Details
Attachments
(1 file)
|
550 bytes,
text/javascript
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.115 Safari/537.36
Steps to reproduce:
Attached testcase prints different result depending on whether ion is enabled/disabled.
gecko-dev/commit 94c7a9798630f81af3f5de929b7703ff3b707331 built with fuzzilli build option(https://github.com/googleprojectzero/fuzzilli/blob/3f0d246a47f39e066ab560f3bb23e2fe47a25850/Targets/Spidermonkey/fuzzbuild.sh).
Actual results:
without ion, it prints function v1's contents
$ js --ion-warmup-threshold=100 --no-ion test.js
function v1(v2) {
function v3() {
with (v2) {
const v6 = Object(...arguments);
return v6;
}
}
let v7 = 0;
let v9 = v7 < 100;
const v10 = Uint8Array;
while (v9 != 0) {
const v12 = v7++;
const v14 = v7 < 100;
v9 = v14;
}
const v15 = v3();
return v15;
}
but with ion, it prints [object Object]
$ js --ion-warmup-threshold=100 test.js
[object Object]
|
||
Comment 1•3 years ago
|
||
This is the same issue as bug 1751660. The shell option --differential-testing should be used to avoid this class of errors.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Summary: Differential Testing: Different output message involving Object(...arguments) → Differential Testing: Different output message involving with ...argument
You need to log in
before you can comment on or make changes to this bug.
Description
•