Closed
Bug 826588
Opened 11 years ago
Closed 11 years ago
Differential Testing: Getting different output on 64-bit Windows js shells involving lastIndex
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | --- | affected |
firefox21 | --- | fixed |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: sstangl)
References
Details
(Keywords: regression, sec-moderate, testcase, Whiteboard: [fuzzblocker][adv-main21+] YARR bug on Win64)
r = RegExp("(){0}", "g") r.test() print(r.lastIndex) prints a number that is different everytime, on js opt shell on m-c changeset ceef8a5c3ca1 without any CLI arguments. This only seems to happen on 64-bit builds. Other platforms / OS'es or Win32 js shells seem to output 0 instead. Jesse advises to set this s-s pending further investigation. autoBisect is now running.
Reporter | ||
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 116118:7711a36c2771 user: Sean Stangl date: Wed Dec 12 17:42:02 2012 -0800 summary: Bug 808245, Part 5/6 - Use MatchPairs for RegExp output. r=dvander
Blocks: 808245
Flags: needinfo?(sstangl)
Reporter | ||
Comment 2•11 years ago
|
||
This is so bad that I've had to disable the compareJIT fuzzer on 64-bit Windows.
Whiteboard: [fuzzblocker]
Assignee | ||
Comment 3•11 years ago
|
||
This is a compiler bug on Win64. The problem is that the "length" parameter of executeMatchOnly() takes on a random value, but it has the correct value in the caller. Printing |length| within executeMatchOnly() causes the test to pass. Disabling optimizations around executeMatchOnly() does not fix it. I'm not sure how to fix this.
Flags: needinfo?(sstangl)
Assignee | ||
Comment 4•11 years ago
|
||
On further examination, it looks like MatchResult::MatchResult(EncodedMatchResult) assumes that (sizeof size_t) == 32. I'm not sure why this wouldn't break on x86_64 Linux, though.
Assignee | ||
Comment 5•11 years ago
|
||
Unfortunately, the problem is that Yarr is built assuming the presence of an ABI that includes a secondary return register. Win64 does not have one, although returnReg2 is erroneously defined for the platform in yarr/YarrJIT.cpp. Windows will happily let you return a struct of size 128 (inasmuch as it passes compilation). I don't see anything in the Win64 ABI that defines what happens in this situation, but some time with a debugger would sort that mess out. Probably just needs yet another shim.
Updated•11 years ago
|
Assignee: general → sstangl
Whiteboard: [fuzzblocker] → [fuzzblocker] YARR bug on Win64
Updated•11 years ago
|
Keywords: sec-moderate
Assignee | ||
Updated•11 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
Comment 6•11 years ago
|
||
(In reply to Sean Stangl from comment #5) > Windows will happily let you return a struct of size 128 (inasmuch as it > passes compilation). I don't see anything in the Win64 ABI that defines what > happens in this situation, but some time with a debugger would sort that > mess out. Probably just needs yet another shim. http://msdn.microsoft.com/en-us/library/7572ztz4.aspx Unless you're returning __m128, __m128i, __m128d, floats, and doubles, which are returned in XMM0, then if the return value does not fit into 64 bits then the caller must pass a pointer to the return value.
Assignee | ||
Comment 7•11 years ago
|
||
Gary, this should have been fixed by Makoto's recent patch in Bug 830676.
Flags: needinfo?(gary)
Reporter | ||
Comment 8•11 years ago
|
||
I verify that the assertion no longer occurs with the testcase. Setting in-testsuite? and assuming fixed by bug 830676.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(gary) → in-testsuite?
Resolution: --- → FIXED
Reporter | ||
Updated•11 years ago
|
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [fuzzblocker] YARR bug on Win64 → [fuzzblocker][adv-main21+] YARR bug on Win64
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•