TI: Incorrect results with compiled FreeType

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: azakai, Unassigned)

Tracking

(Blocks: 1 bug)

Other Branch
x86
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments, 2 obsolete attachments)

1.92 MB, application/octet-stream
Details
904.36 KB, application/octet-stream
Details
630 bytes, application/x-javascript
Details
(Reporter)

Description

6 years ago
Created attachment 520955 [details]
freetype - two versions

The attachment is FreeType compiled to JavaScript (two versions - one with optimizations, one without). Running it in jaegermonkey with -m and parameters |font.ttf test 80 75 2| gives incorrect results (an error in one version, an infinite loop in the other). The output without -m (and with the same parameters) is valid (it shows some ascii art).

This is similar and perhaps related to bug 643635.
(Reporter)

Comment 1

6 years ago
Um, this shouldn't be a security sensitive bug - I guess I clicked the wrong button when filing it.

I don't see a way to undo that...?
Group: core-security
(Reporter)

Comment 2

6 years ago
Created attachment 521047 [details]
freetype - gcc version

An additional build of FreeType, this time with llvm-gcc (other ones were with clang).

This build crashes with -j (with the same arguments as before), unlike the other ones. Otherwise it is similar, no JITs works, -m gives incorrect output (0's).
The patch in bug 643829 does not fix this. Reducing...
Created attachment 522098 [details]
Reduced

My laptop spent most of yesterday attacking this 214,755 lines monster. Let's hope there's only one bug here ;)

$ ./js -m -a test.js
test.js:22: Error: Assertion failed: got (void 0), expected 0

Looks a lot like bug 642569 (>50 locals)
Created attachment 522105 [details]
Reduced

This one may be easier to debug.
Attachment #522098 - Attachment is obsolete: true
Reduced testcase passes now but Freetype still fails with |-m -n| (incorrect result) so I'll probably have to reduce this again..
(Reporter)

Comment 7

6 years ago
Looks like this happens on tracemonkey too, so it might not be a TI bug. Filed bug 648769.
(Reporter)

Updated

6 years ago
Depends on: 648769
Output is still incorrect with -n, I'll reduce this now.
(Reporter)

Comment 9

6 years ago
Jan: This is still a problem on tracemonkey, so it is likely not a TI issue, as mentioned in comment #7. If you can reduce for tracemonkey for bug 648769, though, that would be extremely useful - we are having a hard time finding the cause by bisection!
(In reply to comment #9)
> Jan: This is still a problem on tracemonkey, so it is likely not a TI issue, as
> mentioned in comment #7. 

I'm using freetype_gcc_1_1.js. It works with -m, but with -m -n it prints incorrect values.

> If you can reduce for tracemonkey for bug 648769,
> though, that would be extremely useful - we are having a hard time finding the
> cause by bisection!

Hm can't reproduce, will post details in the other bug.
Created attachment 526473 [details]
Reduced

This fails with |-m -n| and |-m -n -a|:

test.js:20: Error: Assertion failed: got false, expected true

It looks like it's evicting the result of $rec = $rec + 1 because it decides $rec is dead.
Attachment #522105 - Attachment is obsolete: true
Bingo.  When running the liveness analysis on loop bodies, we initially assume that if the variable is dead after the loop it will be dead at the backedge too, and need to go and insert new lifetime segments if it is found to be live at the loop head.  This was broken though and did not insert new segments if the variable was written in the middle of the loop and those writes did not dominate the back edge.

http://hg.mozilla.org/projects/jaegermonkey/rev/d78eef12a329
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.