Closed Bug 748568 Opened 13 years ago Closed 13 years ago

JS Correctness: Different output without -d and with -d

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: regression, testcase, Whiteboard: js-triage-needed)

(function() { print(arguments[QName("constructor")]) })() displays different output in a 32-bit js debug shell on m-c changeset b9936b8bcccf with and without -d. Without -d: undefined With -d: function Object() { [native code] } autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 91358:fa24b215d49e user: Luke Wagner date: Mon Apr 02 08:58:30 2012 -0700 summary: Bug 740446 - make 'arguments' more like a normal local binding (r=bhackett)
This is an e4x caused by QName. I looked into to see that there is no memory corruption, just subtly different paths taken when coercing a value to an id: The non -d path optimizes away 'arguments' and thereby executes NormalArgumentsObject::optimizedGetElem which uses ValueToId. The -d path goes through the standard GetObjectElementOperation path which takes a different, more convoluted route that ends up turning the QName into the string "constructor". Fixing this will add complexity to NormalArgumentsObject::optimizedGetElem, so I'd rather not. To ignore these in the future, just don't generate QName when fuzzing for divergent behavior.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.