Issue 662907 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	ishell@chromium.org
Closed:	Dec 2016
Cc:	mvstan...@chromium.org jarin@chromium.org mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug
v8-foozzie-failure

Blocking:
issue 662423

Difference between fullcode and crankshaft_opt: array prototype setter

Project Member Reported by machenb...@chromium.org, Nov 7 2016

Issue description

Minimized program:
foo();
gc();gc();gc();gc();
function foo(x) {
  var a = new Array();
  a[0] = x;
  return a;
}
Array.prototype.__defineSetter__("0", function() {});
foo().map(print);


# Compared nocrankshaft with noturbo_opt

# Flags of nocrankshaft:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=222 --random-seed -672481123 --nocrankshaft
# Flags of noturbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --gc-interval=222 --random-seed -672481123 --always-opt --turbo-filter=~

Difference:
Different total output lines: 1 vs. 0

### Start of configuration nocrankshaft:
undefined 0 

### End of configuration nocrankshaft

### Start of configuration noturbo_opt:

### End of configuration noturbo_opt

Comment 1 by jarin@chromium.org, Nov 8 2016

Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)

This does not depend on crankshaft - there is already difference between doing 3 garbage collections and 4 garbage collections with --nocrankshaft.

Comment 2 by ishell@chromium.org, Nov 8 2016

Cc: mvstan...@chromium.org

The 4-th GC cleared optimized code map in foo's SFI and TypeFeedbackVector::ClearAllKeyedStoreICs() was not able to find the foo's type feedback vector.

Comment 3 by ishell@chromium.org, Nov 24 2016

Status: Started (was: Assigned)

Project Member

Comment 4 by bugdroid1@chromium.org, Nov 28 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a39522f44f7e0be4686831688917e9675255dcaf

commit a39522f44f7e0be4686831688917e9675255dcaf
Author: ishell <ishell@chromium.org>
Date: Mon Nov 28 22:56:35 2016

[ic] Use validity cells to protect keyed element stores against object's prototype chain modifications.

... instead of clearing of all the KeyedStoreICs which didn't always work.

BUG= chromium:662907 , v8:5561
TBR=verwaest@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2534613002
Cr-Commit-Position: refs/heads/master@{#41332}

[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/include/v8.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ast/ast-types.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/builtins/builtins-array.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/code-stub-assembler.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/compiler/types.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/elements.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/factory.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/factory.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/accessor-assembler-impl.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/accessor-assembler.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/ic-compiler.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/ic-compiler.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/ic-inl.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/ic.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/ic/ic.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/lookup.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/objects-debug.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/objects-inl.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/objects-printer.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/objects.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/objects.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/type-feedback-vector.cc
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/type-feedback-vector.h
[modify] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/src/value-serializer.cc
[add] https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf/test/mjsunit/regress/regress-crbug-662907.js

Comment 5 by ishell@chromium.org, Nov 28 2016

Status: Fixed (was: Started)

Comment 6 by machenb...@chromium.org, Nov 29 2016

Status: Assigned (was: Fixed)

Reopen due to revert.

Project Member

Comment 7 by bugdroid1@chromium.org, Dec 2 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c

commit 39e6f2ca4a2bdc39bd0291db944f0728bd527c5c
Author: ishell <ishell@chromium.org>
Date: Fri Dec 02 10:03:18 2016

[ic] Use validity cells to protect keyed element stores against object's prototype chain modifications.

... instead of clearing of all the KeyedStoreICs which didn't always work.

BUG= chromium:662907 ,  chromium:669411 , v8:5561
TBR=verwaest@chromium.org, bmeurer@chromium.org

Committed: https://crrev.com/a39522f44f7e0be4686831688917e9675255dcaf
Review-Url: https://codereview.chromium.org/2534613002
Cr-Original-Commit-Position: refs/heads/master@{#41332}
Cr-Commit-Position: refs/heads/master@{#41449}

[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/include/v8.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ast/ast-types.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/builtins/builtins-array.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/code-stub-assembler.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/compiler/types.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/elements.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/factory.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/factory.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/accessor-assembler-impl.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/accessor-assembler.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic-compiler.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic-compiler.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic-inl.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/ic/ic.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/lookup.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects-debug.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects-inl.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects-printer.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/objects.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/type-feedback-vector.cc
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/type-feedback-vector.h
[modify] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/src/value-serializer.cc
[add] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/test/mjsunit/regress/regress-crbug-662907.js
[add] https://crrev.com/39e6f2ca4a2bdc39bd0291db944f0728bd527c5c/test/mjsunit/regress/regress-crbug-669411.js

Comment 8 by ishell@chromium.org, Dec 2 2016

Status: Fixed (was: Assigned)

Comment 9 by machenb...@chromium.org, Dec 13 2016

Labels: -Restrict-View-Google v8-foozzie-failure

Comment 10 by machenb...@chromium.org, Jan 11 2017

 Issue 679910  has been merged into this issue.

Project Member

Comment 11 by bugdroid1@chromium.org, Jan 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e

commit c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e
Author: machenbach <machenbach@chromium.org>
Date: Mon Jan 16 09:01:51 2017

[foozzie] Remove suppressions for fixed bugs

BUG= chromium:663750 , chromium:662907 , chromium:663340 , chromium:666308 , chromium:669017 
NOTRY=true
TBR=jarin@chromium.org, bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2632153002
Cr-Commit-Position: refs/heads/master@{#42356}

[modify] https://crrev.com/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e/tools/foozzie/v8_suppressions.js
[modify] https://crrev.com/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e/tools/foozzie/v8_suppressions.py

►

Issue 662907 link

Issue metadata

Difference between fullcode and crankshaft_opt: array prototype setter

Issue description

Comment 1 by jarin@chromium.org, Nov 8 2016

Comment 1 Deleted

Comment 2 by ishell@chromium.org, Nov 8 2016

Comment 2 Deleted

Comment 3 by ishell@chromium.org, Nov 24 2016

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Nov 28 2016

Comment 4 Deleted

Comment 5 by ishell@chromium.org, Nov 28 2016

Comment 5 Deleted

Comment 6 by machenb...@chromium.org, Nov 29 2016

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Dec 2 2016

Comment 7 Deleted

Comment 8 by ishell@chromium.org, Dec 2 2016

Comment 8 Deleted

Comment 9 by machenb...@chromium.org, Dec 13 2016

Comment 9 Deleted

Comment 10 by machenb...@chromium.org, Jan 11 2017

Comment 10 Deleted

Comment 11 by bugdroid1@chromium.org, Jan 16 2017

Comment 11 Deleted

Sign in to add a comment