Closed Bug 1791352 Opened 3 years ago Closed 3 years ago

Differential Testing: Different output message involving --ion-eager

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- wontfix
firefox106 --- fixed
firefox107 --- fixed

People

(Reporter: gkw, Assigned: anba)

References

(Blocks 3 open bugs, Regression)

Details

(Keywords: regression, testcase)

Attachments

(1 file)

Bug 1791352: Preserve bailouts when folding MMinMax. r=jandem!
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review 
function f(x, y, m) {
    let w = Math.log(y) && Math.min(Math.max(x / x, x), x);
    if (m) {
        print(w);
    }
}
let z = [1, 0, 2];
for (let i = 0; i < 9; i++) {
    f(1, z[i], false);
}
f(0, 1, false);
f(0, 0, false);
f(0, 2, true);

Output (rev 95d4708dc680, m-c latest default tip):

$ ./js --fuzzing-safe --differential-testing --no-threads --ion-eager testcase.js 
0

$ ./js --fuzzing-safe --differential-testing --no-threads --baseline-eager --no-ion testcase.js 
NaN

Output (rev 8b53f7a9dea2, parent of potential regressor):

$ ./js --fuzzing-safe --differential-testing --no-threads --ion-eager testcase.js
NaN

$ ./js --fuzzing-safe --differential-testing --no-threads --baseline-eager --no-ion testcase.js
NaN

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/bb791e77a175
user:        André Bargull
date:        Mon Aug 08 17:56:26 2022 +0000
summary:     Bug 1782771 - Part 5: Fold min(x, min(x, y)) and max(x, max(x, y)). r=jandem

Compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 95d4708dc680.

Setting s-s to be safe. Andre, is bug 1782771 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(andrebargull)

This is similar to bug 1688346, where an instruction is optimised out which can bail out. Adding setGuardRangeBailoutsUnchecked() fixes this bug.

Flags: needinfo?(andrebargull)
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Group: core-security → javascript-core-security

Set release status flags based on info from the regressing bug 1782771

status-firefox105: --- → affected
status-firefox106: --- → affected
status-firefox-esr102: --- → unaffected
Blocks: sm-opt-jits, sm-security
Severity: -- → S3
Priority: -- → P1

Preserve bailouts when folding MMinMax. r=jandem
https://hg.mozilla.org/integration/autoland/rev/5ad292b847e44f0f00e351a05a7a4c4935db703a
https://hg.mozilla.org/mozilla-central/rev/5ad292b847e4

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox107: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch

FWIW I don't think this is exploitable for the same reason bug 1688346 wasn't exploitable.

Group: core-security-release
Flags: sec-bounty?

The patch landed in nightly and beta is affected.
:anba, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox106 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(andrebargull)

Comment on attachment 9295235 [details]
Bug 1791352: Preserve bailouts when folding MMinMax. r=jandem!

Beta/Release Uplift Approval Request

  • User impact if declined: Incorrect optimization leading to wrong results (0 vs NaN)
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change should be non-risky. It uses the same approach as in bug 1688346.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(andrebargull)
Attachment #9295235 - Flags: approval-mozilla-beta?

Comment on attachment 9295235 [details]
Bug 1791352: Preserve bailouts when folding MMinMax. r=jandem!

Approved for 106.0b3, thanks.

Attachment #9295235 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Hello, André!
Is manual QA testing needed here? Is something that QA should check manually here?
Thanks!

Flags: needinfo?(andrebargull)

(In reply to Camelia Badau [:cbadau], Release Desktop QA from comment #10)

Hello, André!
Is manual QA testing needed here? Is something that QA should check manually here?
Thanks!

Oh, I'm so sorry, manual QA testing isn't actually needed, the change has a test case, so it gets automatically checked. I didn't pay enough attention when filling out the form and apparently just clicked through the "Yes" buttons.

Flags: needinfo?(andrebargull)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: