Closed Bug 611575 Opened 14 years ago Closed 14 years ago

TM: simple program gives wrong answer

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 596730
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: n.nethercote, Assigned: dvander)

References

Details

(Keywords: regression) 

I've reduced this to the following test case:

  function f(a) {
    print("pre-splice: " + a);
    while (a[0] in { 'x': 1 }) {
      a.splice(0, 1);
    }
    print("post-splice: " + a);
  };

  f(["x", "x", "y"]);
  f(["x", "x", "y"]);
  f(["x", "x", "y"]);
  f(["x", "x", "y"]);
  f(["x", "x", "y"]);

Running with -m I get the expected output:

  [ocean:~/moz/ws1/js/src/tmp] js1d32 -m parser.js
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y

(Copying this from 596730 comment 2.)

Running with -j the while loop finishes too early, as the last line printed
shows:

  [ocean:~/moz/ws1/js/src/tmp] js1d32 -j parser.js
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: y
  pre-splice: x,x,y
  post-splice: x,y

If you change just about anything in the program, the bug goes away.  This
includes removing the first print() call!

hg bisect blames the following changeset:

  The first bad revision is:
  changeset:   55739:0aa283c6294f
  user:        David Anderson <danderson@mozilla.com>
  date:        Fri Oct 22 16:27:28 2010 -0700
  summary:     Trace returning from JSOP_STOP with callDepth=0 (bug 606083,
r=billm).
Blocks: 596730
Blocks: 606083
(Apologies for the out-of-order paragraphs in comment 0.  Hopefully the gist is clear.)
blocking2.0: --- → ?
Keywords: regression
That bisect result is suspicious; likely it caused something to trace where it would have aborted before. I'll take a look.
Assignee: general → dvander
Status: NEW → ASSIGNED
blocking2.0: ? → final+
That's potentially good news:  it makes it more likely that there's a single defect causing both this bug and bug 596730.
(In reply to comment #3)
> That's potentially good news:  it makes it more likely that there's a single
> defect causing both this bug and bug 596730.

Turned out that is the case.  Marking this as a dup.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.