Closed
Bug 995816
Opened 11 years ago
Closed 11 years ago
Differential Testing: Different output message involving gc
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
Tracking | Status | |
---|---|---|
firefox28 | --- | unaffected |
firefox29 | --- | wontfix |
firefox30 | --- | fixed |
firefox31 | --- | verified |
firefox32 | --- | verified |
firefox33 | --- | verified |
firefox-esr24 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.3T | --- | unaffected |
b2g-v1.4 | --- | fixed |
b2g-v2.0 | --- | fixed |
seamonkey2.26 | --- | wontfix |
People
(Reporter: gkw, Assigned: nbp)
References
Details
(Keywords: regression, sec-high, testcase, Whiteboard: [adv-main30+])
let t;
(function() {
f = (function() {
return (1 + -1 / 0) | 0
})
})()
f()
gc()
print(f())
$ ./js-opt-64-dm-ts-darwin-ebdf2740dc3e --fuzzing-safe --ion-parallel-compile=off 2375.js
0
$ ./js-opt-64-dm-ts-darwin-ebdf2740dc3e --fuzzing-safe --ion-parallel-compile=off --ion-eager 2375.js
1
My configure flags are:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/3bada9bbc132
user: Jon Coppeard
date: Mon Dec 16 08:57:37 2013 +0000
summary: Bug 950006 - Don't skip zeal GCs if allocating without the possibility of GC r=billm
Jon, is bug 950006 a possible regressor?
Setting this s-s just because gc seems to be involved, but I'll grab a random choice and pick sec-high for now - please feel free to change this as necessary.
Flags: needinfo?
Reporter | ||
Updated•11 years ago
|
status-firefox28:
--- → unaffected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox31:
--- → affected
status-firefox-esr24:
--- → unaffected
Flags: needinfo? → needinfo?(jcoppeard)
Reporter | ||
Updated•11 years ago
|
Severity: critical → major
Reporter | ||
Comment 1•11 years ago
|
||
(Tested this on 64-bit Mac js opt threadsafe deterministic shell off m-c rev ebdf2740dc3e)
Comment 2•11 years ago
|
||
Reproduced. Unlikely to be related to bug 950006 as there is no GC zeal involved.
As I understand it the computation ((1 + (-1 / 0)) | 0) should be zero in JS, since:
(-1 / 0) => -Infinty
(1 + -Infinty) => -Infinty
(-Infinty | 0) => 0
In the interpreter this is the result produced. However for some reason this is compiled as:
((-1 DivI 0) AddI 1)
Which gives 1. So I guess this is an Ion issue?
Flags: needinfo?(jcoppeard)
Comment 3•11 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #2)
> Which gives 1. So I guess this is an Ion issue?
Looks a lot like bug 995817...
Reporter | ||
Comment 4•11 years ago
|
||
I need to retest this after bug 995817 landed.
Flags: needinfo?(gary)
Reporter | ||
Comment 5•11 years ago
|
||
This is FIXED as of m-i rev f2bd6f0ab761, likely fixed by bug 995817.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(gary)
Resolution: --- → FIXED
Comment 6•11 years ago
|
||
Guessing this is probably wontfix for Beta29 at this point, but we should probably at least get bug 995817 on Aurora30.
Assignee: nobody → nicolas.b.pierron
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → affected
status-b2g-v2.0:
--- → fixed
Depends on: 995817
Flags: needinfo?(nicolas.b.pierron)
Target Milestone: --- → mozilla31
Comment 7•11 years ago
|
||
Assignee | ||
Updated•11 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Updated•11 years ago
|
Whiteboard: [adv-main30+]
Comment 8•11 years ago
|
||
Confirmed issue on 2014-04-04, Fx30.
Verified fixed on 2014-06-03, Fx30 and Fx31.
Comment 9•11 years ago
|
||
Actually, removing verified status. Needs to be verified in build made with --enable-more-deterministic. Gary will do this.
Status: VERIFIED → RESOLVED
Closed: 11 years ago → 11 years ago
Comment 10•10 years ago
|
||
trying to apply this to SeaMonkey 2.26.1 (Gecko 29) resulted in patch conflicts, and due to the nature of this patchset it seems like I won't be able to take it.
status-seamonkey2.26:
--- → wontfix
Reporter | ||
Comment 12•10 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/35e57f348ddf
user: Nicolas B. Pierron
date: Wed Apr 16 08:31:43 2014 -0700
summary: Bug 995817 - Range Analysis: Truncate MDiv indirectly. r=sunfish
Verified on m-c.
Reporter | ||
Comment 13•10 years ago
|
||
Also verified on mozilla-aurora (Fx31) and mozilla-beta (Fx32).
status-firefox32:
--- → verified
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•