TM: Wrong value with upvars that change type in outermost trace

RESOLVED DUPLICATE of bug 497015

Status

()

Core
JavaScript Engine
RESOLVED DUPLICATE of bug 497015
9 years ago
5 years ago

People

(Reporter: gkw, Assigned: dmandelin)

Tracking

(Blocks: 2 bugs, {regression, testcase})

1.9.1 Branch
x86
Mac OS X
regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

(Reporter)

Description

9 years ago
v = 0;
for (let x = 0; x < 1; x) {
    print(function() {
        print([x
        for (e in [''])])
    } ())
    d = v
}

outputs (in opt js shell with -j):

2314240
undefined
2314240
undefined
2314240
undefined
2314240
undefined
2314240
undefined
2314240
undefined
2314240
undefined
... (truncated)

but outputs (in opt js shell without -j):

0
undefined
0
undefined
0
undefined
0
undefined
0
undefined
... (truncated)

This affects 1.9.1 branch. The values for opt are 2314240 (with -j), 0 (without -j), while the values for debug are 2863104 (with -j), 0 (without -j).
Flags: blocking1.9.1?
(Reporter)

Comment 1

9 years ago
These different values also occur on m-c / tm. The TM regression range is:

(outputs 0 and undefined): - http://hg.mozilla.org/tracemonkey/rev/d62fa90d2035
(outputs <someOtherNumber> and undefined): - http://hg.mozilla.org/tracemonkey/rev/fb64ba1cb3ad

No time yet to get a smaller regression window.
Keywords: regression, regressionwindow-wanted
Whiteboard: [needs assignee]

Comment 2

9 years ago
Confirmed with TM tip.

Updated

9 years ago
Group: core-security

Comment 3

9 years ago
Looking for compat peer 2@19, from 0x30dea0 (ip: 0x30db43)
checking vm types 0x30dea0 (ip: 0x30db43): stack0=I/I global0=I/I global1=I/I 
entering trace at x3.js:2@19, native stack slots: 13 code: 0x2cab1e
global: int<0> int<0> 
stack: stack0=int<0> 
Deep bail.
synthesized shallow frame for x3.js:4@0
leaving trace at x3.js:4@38, op=call, lr=0x27da94, exitType=10, sp=3, calldepth=1, cycles=70513
stack0=int<0> stack1=function<0x2bf578:print> stack2=object<0x2c0000:global> stack3=function<0x4a0b40:unnamed> stack4=null<0x0> stack0=function<0x2bf578:print> stack1=object<0x2c0000:global> stack2=object<0x4a0b60:Array> 
global0=int<0> global1=int<0> 
2883584
box<0x16> undefined

h-138:src gal$ printf %x 2883584
2c0000

We convert the global object reference into an integer.

Comment 4

9 years ago
I am suspecting the deep bail top-of-the-stack-return-value late write back code.

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
This no longer reproduces in tracemonkey tip.

The first good revision is:
changeset:   28957:1cfe7ecbb88f
user:        David Mandelin <dmandelin@mozilla.com>
date:        Mon Jun 08 10:48:18 2009 -0700
summary:     Bug 496251: use up-to-date typemap when getting upvar from trace entry native frame, r=gal

If this patch actually has anything to do with this behavior, then this bug is FIXED.  Otherwise a scary WORKSFORME.
(Assignee)

Updated

9 years ago
Summary: TM: Different values with testcase containing for...in, print, function → TM: Wrong value with upvars that change type in outermost trace
Who gets to pick the resolution and take this off the active blocker list?
Whiteboard: [needs assignee] → fixed-in-tracemonkey
Depends on: 496251
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey DUPEME

Comment 7

9 years ago
dmandelin, I think. Looks ok, though.
dmandelin, care to make the call?
Assignee: general → dmandelin
Read through the bugs, this is FIXED -- that other patch looks very relevant.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

9 years ago
This looks like a dup of bug 497015, which was a bug when we get an upvar that was defined in the top-level with let--the arithmetic was off in that case, causing the wrong value to be taken from the trace native locals, and comment 3 confirms that failure mode.
(In reply to comment #9)
> Read through the bugs, this is FIXED -- that other patch looks very relevant.

"Read" there is "past participle", not "imperative to others".  I read through the bugs, and decided it was fixed. :)
Keywords: fixed1.9.1
Whiteboard: fixed-in-tracemonkey DUPEME → fixed-in-tracemonkey
Keywords: fixed1.9.1
Resolution: FIXED → DUPLICATE
Duplicate of bug: 497015
Group: core-security
(Reporter)

Updated

8 years ago
Flags: in-testsuite?
Keywords: regressionwindow-wanted
(Reporter)

Updated

6 years ago
Blocks: 349611
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.