Closed Bug 826588 Opened 11 years ago Closed 11 years ago

Differential Testing: Getting different output on 64-bit Windows js shells involving lastIndex

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 --- affected
firefox21 --- fixed
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: sstangl)

References

Details

(Keywords: regression, sec-moderate, testcase, Whiteboard: [fuzzblocker][adv-main21+] YARR bug on Win64) 

r = RegExp("(){0}", "g")
r.test()
print(r.lastIndex)

prints a number that is different everytime, on js opt shell on m-c changeset ceef8a5c3ca1 without any CLI arguments. This only seems to happen on 64-bit builds.

Other platforms / OS'es or Win32 js shells seem to output 0 instead.

Jesse advises to set this s-s pending further investigation.

autoBisect is now running.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   116118:7711a36c2771
user:        Sean Stangl
date:        Wed Dec 12 17:42:02 2012 -0800
summary:     Bug 808245, Part 5/6 - Use MatchPairs for RegExp output. r=dvander
Blocks: 808245
Flags: needinfo?(sstangl)
This is so bad that I've had to disable the compareJIT fuzzer on 64-bit Windows.
Whiteboard: [fuzzblocker]
This is a compiler bug on Win64. The problem is that the "length" parameter of executeMatchOnly() takes on a random value, but it has the correct value in the caller.

Printing |length| within executeMatchOnly() causes the test to pass.
Disabling optimizations around executeMatchOnly() does not fix it.

I'm not sure how to fix this.
Flags: needinfo?(sstangl)
On further examination, it looks like MatchResult::MatchResult(EncodedMatchResult) assumes that (sizeof size_t) == 32. I'm not sure why this wouldn't break on x86_64 Linux, though.
Unfortunately, the problem is that Yarr is built assuming the presence of an ABI that includes a secondary return register. Win64 does not have one, although returnReg2 is erroneously defined for the platform in yarr/YarrJIT.cpp.

Windows will happily let you return a struct of size 128 (inasmuch as it passes compilation). I don't see anything in the Win64 ABI that defines what happens in this situation, but some time with a debugger would sort that mess out. Probably just needs yet another shim.
Assignee: general → sstangl
Whiteboard: [fuzzblocker] → [fuzzblocker] YARR bug on Win64
Depends on: 831884
(In reply to Sean Stangl from comment #5)
> Windows will happily let you return a struct of size 128 (inasmuch as it
> passes compilation). I don't see anything in the Win64 ABI that defines what
> happens in this situation, but some time with a debugger would sort that
> mess out. Probably just needs yet another shim.

http://msdn.microsoft.com/en-us/library/7572ztz4.aspx

Unless you're returning __m128, __m128i, __m128d, floats, and doubles, which are returned in XMM0, then if the return value does not fit into 64 bits then the caller must pass a pointer to the return value.
Gary, this should have been fixed by Makoto's recent patch in Bug 830676.
Flags: needinfo?(gary)
I verify that the assertion no longer occurs with the testcase. Setting in-testsuite? and assuming fixed by bug 830676.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(gary) → in-testsuite?
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] YARR bug on Win64 → [fuzzblocker][adv-main21+] YARR bug on Win64
Group: core-security
You need to log in before you can comment on or make changes to this bug.