Last Comment Bug 706532 - JS Correctness: Different TypeError variants with/without methodjit
: JS Correctness: Different TypeError variants with/without methodjit
Status: RESOLVED FIXED
: testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla11
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-11-30 09:52 PST by Christian Holler (:decoder)
Modified: 2012-02-01 13:58 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (7.78 KB, patch)
2011-12-05 18:02 PST, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2011-11-30 09:52:19 PST
The following test produces two different TypeError versions with options "-m -a" vs. no options on mozilla-central revision ca140190529a:


(toString++);
var self = this;
this.self++;


Output:

$ $JS -m -a min.js 
min.js:3: TypeError: can't convert #1={self:#1#, toString:NaN} to number
$ $JS min.js 
min.js:3: TypeError: can't convert this.self to number
Comment 1 Brian Hackett (:bhackett) 2011-12-05 13:08:33 PST
After the objshrink merge this now gives the same output regardless of options, though unfortunately it is the really ugly one using sharp variables.  I'll look into fixing that and restoring the this.self output in all cases.
Comment 2 Brian Hackett (:bhackett) 2011-12-05 18:02:15 PST
Created attachment 579178 [details] [diff] [review]
patch

Patch.  The decompiler doesn't work on opcodes that are in the middle of a decomposed op because the source notes it needs aren't present.  This rejiggers things so that when decompiling at such an inner op it tries to decompile the outer op instead.
Comment 3 Luke Wagner [:luke] 2011-12-06 13:51:23 PST
Comment on attachment 579178 [details] [diff] [review]
patch

Looks reasonable.  I recommend you ask Gary for pre-fuzzing.
Comment 4 Gary Kwong [:gkw] [:nth10sd] 2011-12-06 14:18:59 PST
> Looks reasonable.  I recommend you ask Gary for pre-fuzzing.

This does not blow up the fuzzers after fuzzing for awhile.
Comment 5 Brian Hackett (:bhackett) 2011-12-06 16:01:13 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/12c1f73c461f
Comment 6 Ed Morley [:emorley] 2011-12-07 02:32:03 PST
https://hg.mozilla.org/mozilla-central/rev/12c1f73c461f

Note You need to log in before you can comment on or make changes to this bug.