Closed Bug 973118 Opened 10 years ago Closed 10 years ago

Differential Testing: Different output message involving +x

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

Patch
3.80 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
function g(f, inputs) {
    results = [];
    for (var j = 0; j < 9; ++j) {
        for (var k = 0; k < 9; ++k) {
                results.push(f(inputs[j], inputs[j]))
        }
    }
    print(eval(results))
}
function h(x, y) {
    return +x == x
}
g(h, [false, null])

Tested on 32-bit opt deterministic threadsafe shell on m-c changeset 6687d299c464

$ ./js-opt-32-dm-ts-linux-6687d299c464 --fuzzing-safe --ion-parallel-compile=off testcase.js
true,true,true,true,true,true,true,true,true,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false

$ ./js-opt-32-dm-ts-linux-6687d299c464 --fuzzing-safe --ion-parallel-compile=off --ion-eager testcase.js
true,true,true,true,true,true,true,true,true,false,true,true,true,true,true,true,true,true,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false,false

My configure flags are:

CC="gcc -m32" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig CXX="g++ -m32" sh ./configure --target=i686-pc-linux --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --disable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options>

Bisecting backwards, this seems to have happened as far back as http://hg.mozilla.org/mozilla-central/rev/6f7227918e79 (Nov 2013).

Setting needinfo? from Jan to see how we can move this forward.
Flags: needinfo?(jdemooij)
This root cause is very simple (merely "+x == x"), so setting fuzzblocker as this blocks finding a lot of other differential testing bugs.
Whiteboard: [fuzzblocker]
I smaller test case is, with --ion-parallel-compile=off --ion-eager:

function h(x) { return +x == x };
h(false)
assertEq(h(null), false);
assertEq(h(null), false);
Regression from bug 862103, bug is a lot like bug 940635.
Blocks: 862103
Attached patch PatchSplinter Review 
The bug is that ToInt32(null) is 0, but 0 == null should be false.

Compare_Int32MaybeCoerce* and Compare_Int32MaybeCoerceBoth are only used when we expect int32 or booleans, so this patch adds a new IntConversionInputKind to only accept these types.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8377162 - Flags: review?(bhackett1024)
Flags: needinfo?(jdemooij)
Attachment #8377162 - Flags: review?(bhackett1024) → review+
Severity: critical → major
Helping to land this:

https://hg.mozilla.org/integration/mozilla-inbound/rev/df6148983ef9
Flags: in-testsuite+
Target Milestone: --- → mozilla30
https://hg.mozilla.org/mozilla-central/rev/df6148983ef9
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: