Difference between fullcode and ignition_turbo: array length overflow |
|||
Issue description
# Minimized program:
function foo() {
return v.length + 1;
}
var v = [];
foo();
v.length = 0xFFFFFFFF;
%OptimizeFunctionOnNextCall(foo);
print(foo());
# Compared fullcode with ignition_turbo
# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --random-seed -1845399049 --nocrankshaft --turbo-filter=~
# Flags of ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --random-seed -1845399049 --ignition-staging --turbo
Difference:
- 4294967296
+ 0
### Start of configuration fullcode:
4294967296
### End of configuration fullcode
### Start of configuration ignition_turbo:
0
### End of configuration ignition_turbo
,
Nov 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d7aae405c759e4684c4864a8cc07ad3552bde13a commit d7aae405c759e4684c4864a8cc07ad3552bde13a Author: jarin <jarin@chromium.org> Date: Tue Nov 22 12:07:19 2016 [turbofan] Fix representation changes for unsigned values used as checked-signed values. BUG= chromium:664117 Review-Url: https://codereview.chromium.org/2522883002 Cr-Commit-Position: refs/heads/master@{#41173} [modify] https://crrev.com/d7aae405c759e4684c4864a8cc07ad3552bde13a/src/compiler/representation-change.cc [add] https://crrev.com/d7aae405c759e4684c4864a8cc07ad3552bde13a/test/mjsunit/compiler/regress-664117.js
,
Nov 29 2016
,
Dec 13 2016
|
|||
►
Sign in to add a comment |
|||
Comment 1 by bmeu...@chromium.org
, Nov 10 2016Status: Assigned (was: Untriaged)