Issue 667689 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	bmeu...@chromium.org
Closed:	Nov 2016
Cc:	hablich@chromium.org verwa...@chromium.org rmcilroy@chromium.org mstarzinger@chromium.org bmeu...@chromium.org jarin@chromium.org
Components:	Blink>JavaScript>Compiler
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	1
Type:	Bug
Arch-All M-57 NodeJS-Backport-Rejected merge-merged-5.5 merge-merged-5.6 v8-foozzie-failure

Blocking:
issue 663324

Difference between fullcode and ignition_turbo: instanceof and Symbol.hasInstance

Project Member Reported by machenb...@chromium.org, Nov 22 2016

Issue description

Maybe related to  issue 666308 ?

function foo() {};
foo.__defineGetter__(undefined, function() {});
function bar() {}
function baz(x) { return x instanceof bar };
%OptimizeFunctionOnNextCall(baz);
baz();
Object.setPrototypeOf(bar, null);
bar[Symbol.hasInstance] = function() { return true };
print(baz());


# Compared fullcode with ignition_turbo

# Flags of fullcode:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed -176087470 --nocrankshaft --turbo-filter=~
# Flags of ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging  --random-seed -176087470 --ignition-staging --turbo

Difference:
- true
+ false

### Start of configuration fullcode:
true

### End of configuration fullcode

### Start of configuration ignition_turbo:
false

### End of configuration ignition_turbo

Comment 1 by hablich@chromium.org, Nov 22 2016

Cc: hablich@chromium.org
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by bmeu...@chromium.org, Nov 22 2016

Effect chain broken (awesome repro btw.). Fix in-flight.

Project Member

Comment 3 by bugdroid1@chromium.org, Nov 22 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/84c9360b82127571548c9d93132819a4174a0ea1

commit 84c9360b82127571548c9d93132819a4174a0ea1
Author: bmeurer <bmeurer@chromium.org>
Date: Tue Nov 22 11:05:01 2016

[turbofan] Fix broken effect chain for instanceof.

BUG= chromium:667689 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2518313002
Cr-Commit-Position: refs/heads/master@{#41169}

[modify] https://crrev.com/84c9360b82127571548c9d93132819a4174a0ea1/src/compiler/js-native-context-specialization.cc
[add] https://crrev.com/84c9360b82127571548c9d93132819a4174a0ea1/test/mjsunit/regress/regress-crbug-667689.js

Comment 4 by bmeu...@chromium.org, Nov 22 2016

Components: -Blink>JavaScript Blink>JavaScript>Compiler
Labels: M-57 Arch-All OS-All
Status: Fixed (was: Assigned)

Project Member

Comment 5 by bugdroid1@chromium.org, Nov 23 2016

Labels: merge-merged-5.6

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c6856126b6f02d55677a84afa22c7b51afae66a2

commit c6856126b6f02d55677a84afa22c7b51afae66a2
Author: Benedikt Meurer <bmeurer@google.com>
Date: Wed Nov 23 13:05:54 2016

Merged: Squashed multiple commits.

Merged: [turbofan] Properly optimize instanceof (even in the presence of @@hasInstance).
Revision: 241c024c10a8c1b5d7309299ef61f887363b00a0

Merged: [turbofan] Fix broken effect chain for instanceof.
Revision: 84c9360b82127571548c9d93132819a4174a0ea1

BUG= chromium:667689 , v8:5640 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/2523223003 .

Cr-Commit-Position: refs/branch-heads/5.6@{#15}
Cr-Branched-From: bdd3886218dfe76e8560eb8a18401942452ae859-refs/heads/5.6.326@{#1}
Cr-Branched-From: 879f6599eee6e1dfcbe9a24bf688b261c03e9558-refs/heads/master@{#41014}

[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/bootstrapper.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/builtins/builtins-object.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/builtins/builtins.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/code-factory.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/code-factory.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-builtin-reducer.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-generic-lowering.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-native-context-specialization.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-operator.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-operator.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-typed-lowering.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/js-typed-lowering.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/opcodes.h
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/operator-properties.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/typer.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/compiler/verifier.cc
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/src/objects.h
[add] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/test/mjsunit/compiler/instanceof.js
[add] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/test/mjsunit/regress/regress-crbug-667689.js
[modify] https://crrev.com/c6856126b6f02d55677a84afa22c7b51afae66a2/test/unittests/compiler/js-typed-lowering-unittest.cc

Project Member

Comment 6 by bugdroid1@chromium.org, Nov 23 2016

Labels: merge-merged-5.5

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0a1697c458b7a908b874171d4dcaa7d18c52dd58

commit 0a1697c458b7a908b874171d4dcaa7d18c52dd58
Author: Benedikt Meurer <bmeurer@google.com>
Date: Wed Nov 23 13:30:11 2016

Merged: Squashed multiple commits.

Merged: [turbofan] Properly optimize instanceof (even in the presence of @@hasInstance).
Revision: 241c024c10a8c1b5d7309299ef61f887363b00a0

Merged: [turbofan] Fix broken effect chain for instanceof.
Revision: 84c9360b82127571548c9d93132819a4174a0ea1

BUG= chromium:667689 , v8:5640 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/2522543008 .

Cr-Commit-Position: refs/branch-heads/5.5@{#58}
Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1}
Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015}

[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/bootstrapper.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/builtins/builtins-object.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/builtins/builtins.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/code-factory.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/code-factory.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-builtin-reducer.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-generic-lowering.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-native-context-specialization.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-operator.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-operator.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-typed-lowering.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/js-typed-lowering.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/opcodes.h
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/operator-properties.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/typer.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/compiler/verifier.cc
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/src/objects.h
[add] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/test/mjsunit/compiler/instanceof.js
[add] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/test/mjsunit/regress/regress-crbug-667689.js
[modify] https://crrev.com/0a1697c458b7a908b874171d4dcaa7d18c52dd58/test/unittests/compiler/js-typed-lowering-unittest.cc

Comment 7 by machenb...@chromium.org, Dec 13 2016

Labels: v8-foozzie-failure

Comment 8 by ofrobots@google.com, Jan 10 2017

Labels: NodeJS-Backport-Rejected

No further action needed for Node.js as the issue is not present in 5.4 or older.

►

Issue 667689 link

Issue metadata

Difference between fullcode and ignition_turbo: instanceof and Symbol.hasInstance

Issue description

Comment 1 by hablich@chromium.org, Nov 22 2016

Comment 1 Deleted

Comment 2 by bmeu...@chromium.org, Nov 22 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Nov 22 2016

Comment 3 Deleted

Comment 4 by bmeu...@chromium.org, Nov 22 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Nov 23 2016

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Nov 23 2016

Comment 6 Deleted

Comment 7 by machenb...@chromium.org, Dec 13 2016

Comment 7 Deleted

Comment 8 by ofrobots@google.com, Jan 10 2017

Comment 8 Deleted

Sign in to add a comment