Difference between fullcode and crankshaft_opt: prototype and instanceof |
||||
Issue description
# Minimized program:
function foo() {}
foo.prototype = 1;
v = new foo();
function bar() { return v instanceof foo; }
bar();
# Compared fullcode with noturbo_opt
# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 17796107 --nocrankshaft --turbo-filter=~
# Flags of noturbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 17796107 --always-opt --turbo-filter=~ --noturbo-asm
Difference:
- /usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output31_noturbo_opt/fuzz-18573.js.minimized:4: TypeError: Function has non-object prototype '1' in instanceof check
### Start of configuration fullcode:
/usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output31_noturbo_opt/fuzz-18573.js.minimized:4: TypeError: Function has non-object prototype '1' in instanceof check
function bar() { return v instanceof foo; }
^
TypeError: Function has non-object prototype '1' in instanceof check
at bar (/usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output31_noturbo_opt/fuzz-18573.js.minimized:4:27)
at /usr/local/google/home/machenbach/v8/clusterfuzz-data/fuzzers/workdir/output31_noturbo_opt/fuzz-18573.js.minimized:5:1
### End of configuration fullcode
### Start of configuration noturbo_opt:
### End of configuration noturbo_opt
,
Nov 18 2016
,
Nov 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0c70f3729e751bb3149f5b82d9e42db00c3cec3d commit 0c70f3729e751bb3149f5b82d9e42db00c3cec3d Author: verwaest <verwaest@chromium.org> Date: Fri Nov 18 12:57:02 2016 [crankshaft] Don't inline the fast path for instanceof if the function has a non-instance .prototype BUG= chromium:666308 Review-Url: https://codereview.chromium.org/2516603002 Cr-Commit-Position: refs/heads/master@{#41105} [modify] https://crrev.com/0c70f3729e751bb3149f5b82d9e42db00c3cec3d/src/crankshaft/hydrogen.cc [add] https://crrev.com/0c70f3729e751bb3149f5b82d9e42db00c3cec3d/test/mjsunit/regress/regress-crbug-666308.js
,
Nov 18 2016
,
Dec 13 2016
,
Jan 11 2017
Issue 679883 has been merged into this issue.
,
Jan 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e commit c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e Author: machenbach <machenbach@chromium.org> Date: Mon Jan 16 09:01:51 2017 [foozzie] Remove suppressions for fixed bugs BUG= chromium:663750 , chromium:662907 , chromium:663340 , chromium:666308 , chromium:669017 NOTRY=true TBR=jarin@chromium.org, bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2632153002 Cr-Commit-Position: refs/heads/master@{#42356} [modify] https://crrev.com/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e/tools/foozzie/v8_suppressions.js [modify] https://crrev.com/c4a35ed7e831448e1fd2a2ca1f79d5fefae0655e/tools/foozzie/v8_suppressions.py |
||||
►
Sign in to add a comment |
||||
Comment 1 by danno@chromium.org
, Nov 17 2016Status: Assigned (was: Untriaged)