TurboFan {JSCallReducer::ReduceNumberConstructor} looses Number constructor from stack trace. |
|||||||||||
Issue descriptionTracker bug for stack-trace differences.
,
Nov 2 2016
# Different case. Minimized program:
var a = {};
var b = {};
b.p = b[b];
function foo() {
for (var _ in b) {
a.push();
}
}
function bar() {
foo();
}
bar();
# Compared default with noturbo
# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=343 --always-opt --turbo-filter=* --random-seed 232696004
# Flags of noturbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=343 --always-opt --turbo-filter=* --random-seed 232696004 --turbo-filter=~
Difference:
- out5_noturbo/fuzz-00719.js.minimized:6: TypeError: undefined is not a function
+ out5_noturbo/fuzz-00719.js.minimized:6: TypeError: a.push is not a function
### Start of configuration default:
out5_noturbo/fuzz-00719.js.minimized:6: TypeError: undefined is not a function
a.push();
^
TypeError: undefined is not a function
at foo (out5_noturbo/fuzz-00719.js.minimized:6:7)
at bar (out5_noturbo/fuzz-00719.js.minimized:10:3)
at out5_noturbo/fuzz-00719.js.minimized:12:1
### End of configuration default
### Start of configuration noturbo:
out5_noturbo/fuzz-00719.js.minimized:6: TypeError: a.push is not a function
a.push();
^
TypeError: a.push is not a function
at foo (out5_noturbo/fuzz-00719.js.minimized:6:7)
at bar (out5_noturbo/fuzz-00719.js.minimized:10:3)
at out5_noturbo/fuzz-00719.js.minimized:12:1
### End of configuration noturbo
,
Nov 2 2016
,
Nov 3 2016
,
Nov 4 2016
# Different case. Minimized program:
"use strict";
try {
Number({ [Symbol.toPrimitive]: () => FAIL });
} catch(e) { print(e.stack); }
# Compared default with noturbo
# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=300 --no-lazy --turbo-filter=* --always-opt --random-seed -563162667
# Flags of noturbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=300 --no-lazy --turbo-filter=* --always-opt --random-seed -563162667 --turbo-filter=~
Difference:
Different total output lines: 3 vs. 4
### Start of configuration default:
ReferenceError: FAIL is not defined
at Object.[Symbol.toPrimitive] (out8_noturbo/fuzz-09501.js:3:37)
at out8_noturbo/fuzz-09501.js:3:3
### End of configuration default
### Start of configuration noturbo:
ReferenceError: FAIL is not defined
at Object.[Symbol.toPrimitive] (out8_noturbo/fuzz-09501.js:3:40)
at Number (<anonymous>)
at out8_noturbo/fuzz-09501.js:3:3
### End of configuration noturbo
,
Nov 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2b96c9d7c0fdcf3de62218498b738cc79567458f commit 2b96c9d7c0fdcf3de62218498b738cc79567458f Author: mstarzinger <mstarzinger@chromium.org> Date: Wed Nov 23 13:17:13 2016 [turbofan] Fix exception message for non-constructables. This fixes the message reported via the {TypeError} thrown when trying to call a non-constructable function as a constructor. Also adds some more related message tests for similar exceptions. R=bmeurer@chromium.org TEST=message/call-non-constructable BUG=chromium:661579 Review-Url: https://codereview.chromium.org/2523803003 Cr-Commit-Position: refs/heads/master@{#41220} [modify] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/src/compiler/js-call-reducer.cc [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-non-constructable.js [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-non-constructable.out [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-primitive-constructor.js [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-primitive-constructor.out [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-primitive-function.js [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-primitive-function.out [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-undeclared-function.js [add] https://crrev.com/2b96c9d7c0fdcf3de62218498b738cc79567458f/test/message/call-undeclared-function.out
,
Nov 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/22a2ae07afbec087229119970d816788131cacd5 commit 22a2ae07afbec087229119970d816788131cacd5 Author: mstarzinger <mstarzinger@chromium.org> Date: Thu Nov 24 13:36:31 2016 [runtime] Fix call-site rendering for inlined calls. This makes sure call-site rendering for certain {TypeError} messages is based on the correct underlying {JSFunction}, even when inlined frames are present. Only the {FrameSummary} knows the exact function. R=verwaest@chromium.org TEST=message/regress/regress-crbug-661579 BUG=chromium:661579 Review-Url: https://codereview.chromium.org/2521103005 Cr-Commit-Position: refs/heads/master@{#41264} [modify] https://crrev.com/22a2ae07afbec087229119970d816788131cacd5/src/runtime/runtime-internal.cc [add] https://crrev.com/22a2ae07afbec087229119970d816788131cacd5/test/message/regress/regress-crbug-661579.js [add] https://crrev.com/22a2ae07afbec087229119970d816788131cacd5/test/message/regress/regress-crbug-661579.out
,
Nov 24 2016
Quick update: Comment #1 and #2 should be fixed. Comment #5 will be more intricate.
,
Dec 13 2016
,
Mar 10 2017
Do we still care about the case in comment 5?
,
Mar 10 2017
Re #10: Yes, I think we do still care. This is due to TurboFan's lowering in {JSCallReducer::ReduceNumberConstructor}. But priority is still accurate IMHO.
,
Mar 10 2017
,
Mar 10 2017
// Flags: --allow-natives-syntax
function f() {
try {
Number({ [Symbol.toPrimitive]: () => FAIL });
} catch(e) { print(e.stack); }
}
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
,
Mar 10 2017
Yeah, that's a known issue. The fix is to weaponize the BuiltinFrame type for the Deoptimizer, where we add an artificial frame state for the builtin whenever we inline it. I have an outdated proof-of-concept, but was deprioritized because it only affects the stack trace and that's not spec'ed. We can reconsider if we should do this. AFAIR this is not only the Number constructor, but also affects a couple of other builtins already.
,
Mar 13 2017
,
Dec 12 2017
,
Dec 12 2017
Another related repro taken from issue 662861 : var d = { valueOf : function() { print(d.valueOf.caller) }} Number(d);
,
Jul 20
,
Nov 15
Lets find a better owner for this one. Tldr: best read this bug bottom to top. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by machenb...@chromium.org
, Nov 2 2016# Minimized program: new unescape(false) # Compared default with noturbo # Flags of default: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=355 --always-opt --turbo-filter=* --random-seed 745158659 # Flags of noturbo: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=355 --always-opt --turbo-filter=* --random-seed 745158659 --turbo-filter=~ Difference: - out5_noturbo/fuzz-00302.js.minimized:1: TypeError: unescape is not a function + out5_noturbo/fuzz-00302.js.minimized:1: TypeError: unescape is not a constructor ### Start of configuration default: out5_noturbo/fuzz-00302.js.minimized:1: TypeError: unescape is not a function new unescape(false) ^ TypeError: unescape is not a function at out5_noturbo/fuzz-00302.js.minimized:1:1 ### End of configuration default ### Start of configuration noturbo: out5_noturbo/fuzz-00302.js.minimized:1: TypeError: unescape is not a constructor new unescape(false) ^ TypeError: unescape is not a constructor at out5_noturbo/fuzz-00302.js.minimized:1:1 ### End of configuration noturbo