Difference between x64 and ia32: arguments and undefined |
|||
Issue description
# Minimized program:
function f_0(y) { return y.u; }
function f_1() { return f_0.apply(0, arguments); }
function f_2(x) { return f_1({ u : x }); }
f_2(42);
f_2(-1073741825);
%OptimizeFunctionOnNextCall(f_2);
print(f_2());
# Compared default with ia32
# Flags of default:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 940966644
# Flags of ia32:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 940966644
Difference:
- undefined
+ 0
### Start of configuration default:
undefined
### End of configuration default
### Start of configuration ia32:
0
### End of configuration ia32
,
Nov 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e19f43df619ae9f7c8100f4b617ac458fb947fd0 commit e19f43df619ae9f7c8100f4b617ac458fb947fd0 Author: jarin <jarin@chromium.org> Date: Wed Nov 30 15:06:48 2016 [crankshaft] Disable escape analysis of nested objects. BUG= chromium:669024 Review-Url: https://codereview.chromium.org/2531163006 Cr-Commit-Position: refs/heads/master@{#41389} [modify] https://crrev.com/e19f43df619ae9f7c8100f4b617ac458fb947fd0/src/flag-definitions.h [add] https://crrev.com/e19f43df619ae9f7c8100f4b617ac458fb947fd0/test/mjsunit/regress/regress-669024.js
,
Dec 13 2016
,
Feb 24 2017
I assume this is fixed or wontfix?
,
Feb 27 2017
Yes, somewhere in between "Fixed" and "WontFix". The issue should no longer happen because the iteration count of escape analysis in Crankshaft was limited to a single iteration. We won't improve on Crankshaft to allow bumping the iteration count. One could still trigger this by specifying --escape-analysis-iterations manually (which your fuzzer won't do, also the flag is not in our test corpus). |
|||
►
Sign in to add a comment |
|||
Comment 1 by jarin@chromium.org
, Nov 29 2016Status: Assigned (was: Untriaged)