Issue 662418 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	----
Closed:	Nov 2016
Cc:	rmcilroy@chromium.org mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug
Proj-Ignition v8-foozzie-failure

Blocking:
issue 661510

Difference between default and ignition: valueOf

Project Member Reported by machenb...@chromium.org, Nov 4 2016

Issue description

# Minimized program:
var v = {
  valueOf: function() {
    print(w++);
  },
  toString: null
};
var w = {
  valueOf: function() {
    print("w");
  }
};
var x = { [v]: 'B' };


# Compared default with ignition_staging

# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=225 --random-seed -607187433
# Flags of ignition_staging:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=225 --random-seed -607187433 --ignition-staging

Difference:
Different total output lines: 2 vs. 3

### Start of configuration default:
w
NaN

### End of configuration default

### Start of configuration ignition_staging:
w
w
NaN

### End of configuration ignition_staging

Comment 1 by rmcilroy@chromium.org, Nov 4 2016

Status: Started (was: Untriaged)

I have a fix in progress. Got to agree with Michi - correctness fuzzer FTW!

Comment 2 by machenb...@chromium.org, Nov 7 2016

# Guess this is the same with toString?

var v = {
  toString: function() {
    print(w++);
  }
};
var w = {
  toString: function() {
    print("Meh");
  }
};
var v = {[v]: 0};

Comment 3 by rmcilroy@chromium.org, Nov 7 2016

Yes this looks like the same underlying bug.

Comment 4 by machenb...@chromium.org, Nov 8 2016

# Another one:
__v_8 = function() {
  print(__v_8.caller);
}
__v_7 = {};
__v_7.valueOf = __v_8;
Number(__v_7);


# Compared fullcode with ignition_turbo_opt

# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=196 --random-seed 38473969 --nocrankshaft --turbo-filter=~
# Flags of ignition_turbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=196 --random-seed 38473969 --ignition-staging --turbo --always-opt

Difference:
- function Number() { [native code] }
+ null

### Start of configuration fullcode:
function Number() { [native code] }

### End of configuration fullcode

### Start of configuration ignition_turbo_opt:
null

### End of configuration ignition_turbo_opt

Project Member

Comment 5 by bugdroid1@chromium.org, Nov 8 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ba5885cc8b99951f445096349dd6a7a5a76e354b

commit ba5885cc8b99951f445096349dd6a7a5a76e354b
Author: rmcilroy <rmcilroy@chromium.org>
Date: Tue Nov 08 17:02:45 2016

[Interpreter] Ensure ValueOf is only called once for post-increment operations.

BUG= chromium:662418 

Review-Url: https://codereview.chromium.org/2473223004
Cr-Commit-Position: refs/heads/master@{#40846}

[modify] https://crrev.com/ba5885cc8b99951f445096349dd6a7a5a76e354b/src/interpreter/bytecode-generator.cc
[modify] https://crrev.com/ba5885cc8b99951f445096349dd6a7a5a76e354b/test/cctest/interpreter/bytecode_expectations/AssignmentsInBinaryExpression.golden
[modify] https://crrev.com/ba5885cc8b99951f445096349dd6a7a5a76e354b/test/cctest/interpreter/bytecode_expectations/CountOperators.golden
[modify] https://crrev.com/ba5885cc8b99951f445096349dd6a7a5a76e354b/test/cctest/interpreter/bytecode_expectations/GlobalCountOperators.golden
[add] https://crrev.com/ba5885cc8b99951f445096349dd6a7a5a76e354b/test/mjsunit/ignition/regress-662418.js

Comment 6 by rmcilroy@chromium.org, Nov 8 2016

Status: Fixed (was: Started)

This should be fixed now.

Comment 7 by machenb...@chromium.org, Dec 13 2016

Labels: -Restrict-View-Google v8-foozzie-failure

►

Issue 662418 link

Issue metadata

Difference between default and ignition: valueOf

Issue description

Comment 1 by rmcilroy@chromium.org, Nov 4 2016

Comment 1 Deleted

Comment 2 by machenb...@chromium.org, Nov 7 2016

Comment 2 Deleted

Comment 3 by rmcilroy@chromium.org, Nov 7 2016

Comment 3 Deleted

Comment 4 by machenb...@chromium.org, Nov 8 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Nov 8 2016

Comment 5 Deleted

Comment 6 by rmcilroy@chromium.org, Nov 8 2016

Comment 6 Deleted

Comment 7 by machenb...@chromium.org, Dec 13 2016

Comment 7 Deleted

Sign in to add a comment