Closed Bug 748568 Opened 12 years ago Closed 12 years ago

JS Correctness: Different output without -d and with -d

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase, Whiteboard: js-triage-needed) 

(function() {
    print(arguments[QName("constructor")])
})()

displays different output in a 32-bit js debug shell on m-c changeset b9936b8bcccf with and without -d.

Without -d:

undefined

With -d:

function Object() {
    [native code]
}

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   91358:fa24b215d49e
user:        Luke Wagner
date:        Mon Apr 02 08:58:30 2012 -0700
summary:     Bug 740446 - make 'arguments' more like a normal local binding (r=bhackett)
This is an e4x caused by QName.  I looked into to see that there is no memory corruption, just subtly different paths taken when coercing a value to an id:

The non -d path optimizes away 'arguments' and thereby executes NormalArgumentsObject::optimizedGetElem which uses ValueToId.  The -d path goes through the standard GetObjectElementOperation path which takes a different, more convoluted route that ends up turning the QName into the string "constructor".

Fixing this will add complexity to NormalArgumentsObject::optimizedGetElem, so I'd rather not.  To ignore these in the future, just don't generate QName when fuzzing for divergent behavior.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.