The default bug view has changed. See this FAQ.

JS Correctness: Different TypeError variants with/without methodjit

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {testcase})

Trunk
mozilla11
x86_64
Linux
testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test produces two different TypeError versions with options "-m -a" vs. no options on mozilla-central revision ca140190529a:


(toString++);
var self = this;
this.self++;


Output:

$ $JS -m -a min.js 
min.js:3: TypeError: can't convert #1={self:#1#, toString:NaN} to number
$ $JS min.js 
min.js:3: TypeError: can't convert this.self to number
After the objshrink merge this now gives the same output regardless of options, though unfortunately it is the really ugly one using sharp variables.  I'll look into fixing that and restoring the this.self output in all cases.
Created attachment 579178 [details] [diff] [review]
patch

Patch.  The decompiler doesn't work on opcodes that are in the middle of a decomposed op because the source notes it needs aren't present.  This rejiggers things so that when decompiling at such an inner op it tries to decompile the outer op instead.
Assignee: general → bhackett1024
Attachment #579178 - Flags: review?(luke)

Comment 3

5 years ago
Comment on attachment 579178 [details] [diff] [review]
patch

Looks reasonable.  I recommend you ask Gary for pre-fuzzing.
Attachment #579178 - Flags: review?(luke) → review+
> Looks reasonable.  I recommend you ask Gary for pre-fuzzing.

This does not blow up the fuzzers after fuzzing for awhile.
https://hg.mozilla.org/integration/mozilla-inbound/rev/12c1f73c461f
https://hg.mozilla.org/mozilla-central/rev/12c1f73c461f
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
You need to log in before you can comment on or make changes to this bug.