Closed Bug 827104 Opened 7 years ago Closed 7 years ago

IonMonkey: Differential Testing: is undefined vs. undefined has no properties

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla23

People

(Reporter: decoder, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file, 1 obsolete file)

The following testcase shows different behavior with no options vs. --no-ti on mozilla-central revision 20d1a5916ef6:


var a = [];
for (var i = 0; i < 1000; i++) {
  a.x = {}
}
a[i][0] = 0;


$ opt64/js test.js
test.js:5:0 TypeError: can't convert undefined to object


$ opt64/js --no-ti test.js
test.js:5:0 TypeError: a[i] is undefined


This is a fuzzblocker because it keeps popping up very frequently.
Seeing the same also for null (foo is null vs. null has no properties).
Attached patch fix (obsolete) — Splinter Review
I hate this code. We should just get rid of the special error message. This fixes it, but I am not sure if it has bad effects on other stuff.
Tom, is this patch up for a review?
Flags: needinfo?(evilpies)
I think we can take this patch, this should strictly just improve the error reporting.
Flags: needinfo?(evilpies)
Assignee: general → evilpies
Verified, still passes and fixes the issue.
Attachment #698420 - Flags: review?(jdemooij)
Comment on attachment 698420 [details] [diff] [review]
fix

Review of attachment 698420 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, but please add a testcase that fails without the patch (and works with the patch + --baseline-eager)
Attachment #698420 - Flags: review?(jdemooij) → review+
This fails with baseline at the moment.
Jan, any ideas on how to fix this?
Flags: needinfo?(jdemooij)
(In reply to Tom Schuster [:evilpie] from comment #8)
> Jan, any ideas on how to fix this?

Changing ToObject to ToObjectFromStack in DoSetElemFallback seems to work for me..
Flags: needinfo?(jdemooij)
Attached patch v2Splinter Review
You are right. Failure on my part.
Attachment #698420 - Attachment is obsolete: true
Attachment #744776 - Flags: review?(jdemooij)
Attachment #744776 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/a7e44219367a
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.