Closed Bug 995816 Opened 8 years ago Closed 8 years ago

Differential Testing: Different output message involving gc

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
major

Tracking

()

VERIFIED FIXED
mozilla31
Tracking Status
firefox28 --- unaffected
firefox29 --- wontfix
firefox30 --- fixed
firefox31 --- verified
firefox32 --- verified
firefox33 --- verified
firefox-esr24 --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed
seamonkey2.26 --- wontfix

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: regression, sec-high, testcase, Whiteboard: [adv-main30+])

let t;
(function() {
    f = (function() {
        return (1 + -1 / 0) | 0
    })
})()
f()
gc()
print(f())

$ ./js-opt-64-dm-ts-darwin-ebdf2740dc3e --fuzzing-safe --ion-parallel-compile=off 2375.js
0

$ ./js-opt-64-dm-ts-darwin-ebdf2740dc3e --fuzzing-safe --ion-parallel-compile=off --ion-eager 2375.js
1

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/3bada9bbc132
user:        Jon Coppeard
date:        Mon Dec 16 08:57:37 2013 +0000
summary:     Bug 950006 - Don't skip zeal GCs if allocating without the possibility of GC r=billm

Jon, is bug 950006 a possible regressor?

Setting this s-s just because gc seems to be involved, but I'll grab a random choice and pick sec-high for now - please feel free to change this as necessary.
Flags: needinfo?
Severity: critical → major
(Tested this on 64-bit Mac js opt threadsafe deterministic shell off m-c rev ebdf2740dc3e)
Reproduced.  Unlikely to be related to bug 950006 as there is no GC zeal involved.

As I understand it the computation ((1 + (-1 / 0)) | 0) should be zero in JS, since:
  (-1 / 0) => -Infinty
  (1 + -Infinty) => -Infinty
  (-Infinty | 0) => 0

In the interpreter this is the result produced.  However for some reason this is compiled as:

  ((-1 DivI 0) AddI 1)

Which gives 1.  So I guess this is an Ion issue?
Flags: needinfo?(jcoppeard)
(In reply to Jon Coppeard (:jonco) from comment #2)
> Which gives 1.  So I guess this is an Ion issue?

Looks a lot like bug 995817...
I need to retest this after bug 995817 landed.
Flags: needinfo?(gary)
This is FIXED as of m-i rev f2bd6f0ab761, likely fixed by bug 995817.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(gary)
Resolution: --- → FIXED
Guessing this is probably wontfix for Beta29 at this point, but we should probably at least get bug 995817 on Aurora30.
Assignee: nobody → nicolas.b.pierron
Depends on: 995817
Flags: needinfo?(nicolas.b.pierron)
Target Milestone: --- → mozilla31
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [adv-main30+]
Confirmed issue on 2014-04-04, Fx30.
Verified fixed on 2014-06-03, Fx30 and Fx31.
Status: RESOLVED → VERIFIED
Actually, removing verified status. Needs to be verified in build made with --enable-more-deterministic. Gary will do this.
Status: VERIFIED → RESOLVED
Closed: 8 years ago8 years ago
trying to apply this to SeaMonkey 2.26.1 (Gecko 29) resulted in patch conflicts, and due to the nature of this patchset it seems like I won't be able to take it.
Gary, do you think you have time to do a verify?
Flags: needinfo?(gary)
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/35e57f348ddf
user:        Nicolas B. Pierron
date:        Wed Apr 16 08:31:43 2014 -0700
summary:     Bug 995817 - Range Analysis: Truncate MDiv indirectly. r=sunfish

Verified on m-c.
Status: RESOLVED → VERIFIED
Flags: needinfo?(gary)
Also verified on mozilla-aurora (Fx31) and mozilla-beta (Fx32).
Group: core-security
You need to log in before you can comment on or make changes to this bug.