995816 - Differential Testing: Different output message involving gc

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

let t;
(function() {
    f = (function() {
        return (1 + -1 / 0) | 0
    })
})()
f()
gc()
print(f())

$ ./js-opt-64-dm-ts-darwin-ebdf2740dc3e --fuzzing-safe --ion-parallel-compile=off 2375.js
0

$ ./js-opt-64-dm-ts-darwin-ebdf2740dc3e --fuzzing-safe --ion-parallel-compile=off --ion-eager 2375.js
1

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/3bada9bbc132
user:        Jon Coppeard
date:        Mon Dec 16 08:57:37 2013 +0000
summary:     Bug 950006 - Don't skip zeal GCs if allocating without the possibility of GC r=billm

Jon, is bug 950006 a possible regressor?

Setting this s-s just because gc seems to be involved, but I'll grab a random choice and pick sec-high for now - please feel free to change this as necessary.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(Tested this on 64-bit Mac js opt threadsafe deterministic shell off m-c rev ebdf2740dc3e)

Comment 2

[Jon Coppeard (:jonco)]

Reproduced.  Unlikely to be related to bug 950006 as there is no GC zeal involved.

As I understand it the computation ((1 + (-1 / 0)) | 0) should be zero in JS, since:
  (-1 / 0) => -Infinty
  (1 + -Infinty) => -Infinty
  (-Infinty | 0) => 0

In the interpreter this is the result produced.  However for some reason this is compiled as:

  ((-1 DivI 0) AddI 1)

Which gives 1.  So I guess this is an Ion issue?

Comment 3

[Jan de Mooij [:jandem]]

(In reply to Jon Coppeard (:jonco) from comment #2)
> Which gives 1.  So I guess this is an Ion issue?

Looks a lot like bug 995817...

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I need to retest this after bug 995817 landed.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This is FIXED as of m-i rev f2bd6f0ab761, likely fixed by bug 995817.

Comment 6

[Ryan VanderMeulen [:RyanVM]]

Guessing this is probably wontfix for Beta29 at this point, but we should probably at least get bug 995817 on Aurora30.

Comment 7

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/1e0fac4a167b

Comment 8

[Matt Wobensmith [:mwobensmith][:matt:]]

Confirmed issue on 2014-04-04, Fx30.
Verified fixed on 2014-06-03, Fx30 and Fx31.

Comment 9

[Matt Wobensmith [:mwobensmith][:matt:]]

Actually, removing verified status. Needs to be verified in build made with --enable-more-deterministic. Gary will do this.

Comment 10

[Justin Wood (:Callek)]

trying to apply this to SeaMonkey 2.26.1 (Gecko 29) resulted in patch conflicts, and due to the nature of this patchset it seems like I won't be able to take it.

Comment 11

[Matt Wobensmith [:mwobensmith][:matt:]]

Gary, do you think you have time to do a verify?

Comment 12

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/35e57f348ddf
user:        Nicolas B. Pierron
date:        Wed Apr 16 08:31:43 2014 -0700
summary:     Bug 995817 - Range Analysis: Truncate MDiv indirectly. r=sunfish

Verified on m-c.

Comment 13

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Also verified on mozilla-aurora (Fx31) and mozilla-beta (Fx32).