Closed Bug 797185 Opened 7 years ago Closed 7 years ago

IonMonkey: Differential Testing: Getting different output w/without --ion-eager with toSource

Categories

(Core :: JavaScript Engine, defect, major)

defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla18

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

toSource = function () { print('FOO') }
y = this
try {
    (function() {
        for (v of y) {}
    })()
} catch (e) {}

prints "FOO" on js opt shell on m-c changeset cd82278e2bb8 with --ion-eager, but does not print it without.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   105823:73866db4e189
user:        Jan de Mooij
date:        Sat Feb 11 13:22:42 2012 +0100
summary:     Compile JSOP_LAMBDA and JSOP_DEFLOCALFUN (bug 725674, r=dvander)
Nicolas helped me diagnose the issue here! :)
(tested on 32-bit opt shell on changeset 1a2f506b1a92)

Here's another testcase:

try {
    a0 = [];
    o0 = {}
    b0 = g2 = this
    o0.toSource = (function () {
        Object.defineProperty(g2.a0, 8, {})
    })
} catch (e) {}
try {
    (function () {
        b0.__iterator__ = (function () {
            for (v of this) {}
        })
    })()
    for (p in b0) {}
} catch (e) {}
try {
    print(uneval(this))
} catch (e) {}


$ ./js-opt-32-1a2f506b1a92-darwin w733-cj-in.js | head
({__iterator__:(function () {
            for (v of this) {}
        }), a0:[], assertEq:function assertEq() {
    [native code]
}, assertJit:function assertJit() {
    [native code]
}, b0:{}, build:function build() {
    [native code]
}, clone:function clone() {
    [native code]

$ ./js-opt-32-1a2f506b1a92-darwin --ion-eager w733-cj-in.js | head
({__iterator__:(function () {
            for (v of this) {}
        }), a0:[, , , , , , , , (void 0)], assertEq:function assertEq() {
    [native code]
}, assertJit:function assertJit() {
    [native code]
}, b0:{}, build:function build() {
    [native code]
}, clone:function clone() {
    [native code]
try {
    (function () {
        Object.defineProperty(this, "v0", {
            get: function () {
                m0.toSource = f1
            }
        })
    })()
    a0 = []
    m0 = o1 = e1 = Array
    eval("function f1(){Object.defineProperty(a0,1,{})}")
    for (v in v0) {}(function () {
        e1.valueOf = (function () {
            for (v of o1) {}
        })
    })()
    e1 + ''
} catch (e) {}
try {
    print(a0)
} catch (e) {}

is another testcase that outputs a "," with --ion-eager but seemingly only a newline without, also on m-c changeset 1a2f506b1a92.
This is generating a lot of duplicates in compareJIT, unfortunately.
Whiteboard: [fuzzblocker]
Attached patch PatchSplinter Review
It's the DecompileValueGenerator stack search again. Bug 758209 disabled it when building with --enable-more-deterministic, but this change got lost with all the decompiler changes, this patch restores it.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #667881 - Flags: review?(dvander)
Comment on attachment 667881 [details] [diff] [review]
Patch

Stealing this NPOTB patch as suggested by jandem on IRC :)
Attachment #667881 - Flags: review?(dvander) → review+
Thanks!

https://hg.mozilla.org/integration/mozilla-inbound/rev/a85c0f30cdfa
OS: Mac OS X → All
Hardware: x86_64 → All
https://hg.mozilla.org/mozilla-central/rev/a85c0f30cdfa
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Depends on: 821931
Depends on: 822540
Depends on: 825382
You need to log in before you can comment on or make changes to this bug.