Last Comment Bug 767665 - IonMonkey: Differential Testing: Getting TypeError vs no TypeError w/without ion
: IonMonkey: Differential Testing: Getting TypeError vs no TypeError w/without ion
Status: VERIFIED FIXED
: regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Windows 7
: -- critical (vote)
: ---
Assigned To: Sean Stangl [:sstangl]
:
Mentors:
Depends on:
Blocks: jsfunfuzz IonFuzz 768249
  Show dependency treegraph
 
Reported: 2012-06-22 22:59 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-12-13 17:05 PST (History)
6 users (show)
gary: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (840 bytes, text/plain)
2012-06-22 22:59 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
clearer testcase (178 bytes, text/plain)
2012-06-23 05:02 PDT, Jesse Ruderman
no flags Details
Inline NewArray only if it won't generate a RangeError. (3.18 KB, patch)
2012-06-25 15:12 PDT, Sean Stangl [:sstangl]
dvander: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-06-22 22:59:29 PDT
Created attachment 636031 [details]
testcase

The attached testcase shows a TypeError at the bottom using js opt shell on IonMonkey changeset 881c4b8e7404 with --no-jm:

/snip
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
TypeError: (void 0) is not a function

but doesn't when run without --no-jm:

/snip
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length

mozilla-inbound changeset cb74a377095a does not seem to have this issue. All shells tested on 64-bit, and with --enable-more-deterministic.

This is at least a regression for IonMonkey.
Comment 1 Jesse Ruderman 2012-06-23 05:02:32 PDT
Created attachment 636067 [details]
clearer testcase
Comment 2 Jesse Ruderman 2012-06-23 15:17:51 PDT
The first bad revision is:
changeset:   https://hg.mozilla.org/projects/ionmonkey/rev/8a2010ae3d08
user:        Sean Stangl
date:        Tue Mar 27 12:20:22 2012 -0700
summary:     Bug 735400 - Optimize JSOP_FUNCALL. r=dvander
Comment 3 Sean Stangl [:sstangl] 2012-06-25 15:12:20 PDT
Created attachment 636502 [details] [diff] [review]
Inline NewArray only if it won't generate a RangeError.

Kindly disregard the crazy levels of indentation. I'll fix that in a follow-up bug -- that whole file needs cleanup badly.
Comment 4 David Anderson [:dvander] 2012-06-26 13:10:35 PDT
Comment on attachment 636502 [details] [diff] [review]
Inline NewArray only if it won't generate a RangeError.

Review of attachment 636502 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CodeGenerator.cpp
@@ +989,5 @@
>      Register objReg = ToRegister(lir->output());
>      types::TypeObject *typeObj = lir->mir()->type();
>      uint32 count = lir->mir()->count();
>  
> +    JS_ASSERT((int32_t)count >= 0);

JS_ASSERT(count < JSObject::NELEMENTS_LIMIT)
Comment 5 Sean Stangl [:sstangl] 2012-06-26 16:35:07 PDT
http://hg.mozilla.org/projects/ionmonkey/rev/02c16738f778
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2012-12-13 17:05:49 PST
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.

Note You need to log in before you can comment on or make changes to this bug.