Closed Bug 998709 Opened 10 years ago Closed 10 years ago

Differential Testing: Different output message involving __proto__

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 998059

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase) 

x = Uint16Array()
x.__proto__ = [0]
for (var m = 0; m < 2; m++) {
    print(x.length)
}


$ ./js-opt-64-dm-ts-darwin-582b2d81ebe1 --fuzzing-safe --ion-parallel-compile=off testcase.js
1
1

$ ./js-opt-64-dm-ts-darwin-582b2d81ebe1 --fuzzing-safe --ion-parallel-compile=off --ion-eager testcase.js
1
0

(Tested this on 64-bit Mac js opt threadsafe deterministic shell off m-c rev 582b2d81ebe1)

My configure flags (Mac) are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --enable-more-deterministic --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/6f8ea87eb8d1
user:        Brian Hackett
date:        Thu Mar 06 14:03:03 2014 -0700
summary:     Bug 980013 - Watch for length accesses on typed arrays with overridden prototypes, r=luke.

Hannes, is this related to bug 980013? (This issue does not seem fixed by the patch in bug 998059, but you could re-check.)
Flags: needinfo?(hv1989)
The fix was incomplete. The new patch fixes this issue too.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.