Closed Bug 1790647 Opened 3 years ago Closed 3 years ago

Differential testing: ion miscomputes negative zero

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- wontfix
firefox106 --- fixed

People

(Reporter: lukas.bernhard, Assigned: anba)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1790647: Handle negative zero in RNaNToZero. r=iain!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

During differential fuzzing, I encountered a miscomputation. The attached sample prints different values, depending on whether ion is enabled or not. Reproduces on git commit: 7b36c8b83337c4b4cdfd4ccc2168f3491a86811b
Bisecting the issue identifies commit 2d51898985f3b8fe60871686ea440bb3c2587350 related to bug 1783622.

sample.js

function main() {
    let sawNegZero = false;
    for (let i = 0; i < 10; i++) {
        async function v8(v12) {
            for (let j = 0; j < 18; j++) {}

            for (let v23 = 0; v23 < 3; v23++) {
                const v24 = -Infinity;
                const v25 = v23 * -2962554220;
                const v26 = v24 ** v24;
                const v27 = v25 ? v25 : v26;

                const v28 = {}; 
                try {
                    v28 instanceof v12;
                } catch(v30) {
                    if (Object.is(v27, -0.0)) {
                        sawNegZero = true;
                    }   
                }
            }
        }   
        v8();
    }   
    print(sawNegZero); // ion: true; baseline and d8: false
}
main();

obj-x86_64-pc-linux-gnu/dist/bin/js --fast-warmup --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing sample.js

prints true

obj-x86_64-pc-linux-gnu/dist/bin/js --no-ion --no-threads --cpu-count=1 --ion-offthread-compile=off --fuzzing-safe --differential-testing sample.js

prints false

Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core

The bisection seems to be wrong. This is actually a regression from bug 1176230. (Scratch that, bug 1783622 also changed the recover code for MNaNToZero.)

This code replaces the pattern testArg ? testArg : 0.0 with MNaNToZero. But that is incorrect when testArg is -0, because then -0 isn't normalised to +0.

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Regressed by: 1783622

Set release status flags based on info from the regressing bug 1783622

status-firefox104: --- → unaffected
status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected
Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/2c9a5fec5ec4 Handle negative zero in RNaNToZero. r=iain

https://hg.mozilla.org/mozilla-central/rev/2c9a5fec5ec4

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
status-firefox105: affectedwontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: