Difference between fullcode and ignition_staging_turbo_opt: array shift |
||||
Issue description
# Minimized program:
Array.prototype.__proto__ = {3: ""};
a = new Array(13)
a.shift()
Object.defineProperty(Array.prototype, "1", {});
[{},,0].shift();
# Compared fullcode with ignition_turbo_opt
# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --random-seed -856055094 --nocrankshaft --turbo-filter=~
# Flags of ignition_turbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --random-seed -856055094 --ignition-staging --turbo --always-opt
Difference:
Different total output lines: 0 vs. 7
### Start of configuration fullcode:
### End of configuration fullcode
### Start of configuration ignition_turbo_opt:
out11_ignition_turbo_opt2/fuzz-70987.js.minimized:6: TypeError: Cannot assign to read only property '1' of object '[object Array]'
[{},,0].shift();
^
TypeError: Cannot assign to read only property '1' of object '[object Array]'
at Array.shift (<anonymous>)
at out11_ignition_turbo_opt2/fuzz-70987.js.minimized:6:9
### End of configuration ignition_turbo_opt
,
Nov 17 2016
Igor, please take a look. ArrayShift inlining seems wrong.
,
Dec 13 2016
,
Dec 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/faf80b4ec0b5a901eecd77b7b356f2b0fe2ca4f7 commit faf80b4ec0b5a901eecd77b7b356f2b0fe2ca4f7 Author: ishell <ishell@chromium.org> Date: Tue Dec 20 10:18:02 2016 [crankshaft] Ensure that we use inlined Array.prototype.shift only when there's no elements in the prototype chain. BUG= chromium:663340 Review-Url: https://codereview.chromium.org/2593553002 Cr-Commit-Position: refs/heads/master@{#41846} [modify] https://crrev.com/faf80b4ec0b5a901eecd77b7b356f2b0fe2ca4f7/src/crankshaft/hydrogen.cc [modify] https://crrev.com/faf80b4ec0b5a901eecd77b7b356f2b0fe2ca4f7/src/crankshaft/hydrogen.h [modify] https://crrev.com/faf80b4ec0b5a901eecd77b7b356f2b0fe2ca4f7/src/prototype.h [add] https://crrev.com/faf80b4ec0b5a901eecd77b7b356f2b0fe2ca4f7/test/mjsunit/regress/regress-crbug-663340.js
,
Dec 20 2016
,
Jan 11 2017
Issue 679886 has been merged into this issue.
,
Jan 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e commit c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e Author: machenbach <machenbach@chromium.org> Date: Mon Jan 16 09:01:51 2017 [foozzie] Remove suppressions for fixed bugs BUG= chromium:663750 , chromium:662907 , chromium:663340 , chromium:666308 , chromium:669017 NOTRY=true TBR=jarin@chromium.org, bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2632153002 Cr-Commit-Position: refs/heads/master@{#42356} [modify] https://crrev.com/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e/tools/foozzie/v8_suppressions.js [modify] https://crrev.com/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e/tools/foozzie/v8_suppressions.py |
||||
►
Sign in to add a comment |
||||
Comment 1 by machenb...@chromium.org
, Nov 17 2016Labels: -Restrict-View-Google
# Similar case between fullcode and default: Array.prototype[1] = "element 1"; function foo() { a = [0,,{}] a.shift() print(a); } foo(); foo(); %OptimizeFunctionOnNextCall(foo); foo(); # Compared fullcode with default # Flags of fullcode: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 2093345467 --nocrankshaft --turbo-filter=~ # Flags of default: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 2093345467 Difference: - element 1,[object Object] + ,[object Object] ### Start of configuration fullcode: element 1,[object Object] element 1,[object Object] element 1,[object Object] ### End of configuration fullcode ### Start of configuration default: element 1,[object Object] element 1,[object Object] ,[object Object] ### End of configuration default