Regression: JavaScript/V8 - Array Buffer readouts give unpredictable results
Reported by
d...@acmer.me,
Sep 7 2017
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Steps to reproduce the problem: 1. Open https://www.blend4web.com/tmp/blend4web_ce/apps_dev/tutorials/web_page_integration/example.html 2. Press "Click here" button 3. Balloon jerks What is the expected behavior? Balloon moves smoothly. What went wrong? After some search we found 1) Wrong behavior is reproduced on +59.0.3071. Everything is ok on 58.0.3029. 2) We can't reproduce the bug in little example. 3) If we comment 586-587 lines of https://www.blend4web.com/tmp/blend4web_ce/src/data.js and restart demo, balloon moves smoothly. Did this work before? N/A Chrome version: 61.0.3163.79 Channel: stable OS Version: Ubuntu 16.04 Flash Version:
,
Sep 7 2017
,
Sep 7 2017
Since this been there since M59 not tagging any blocker labels tagging with M63.
,
Sep 8 2017
Untriaging it so that it gets addressed.
,
Sep 15 2017
Thanks, compiler & ignition folks, please investigate and retriage.
,
Sep 15 2017
,
Sep 17
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18
Looks like this works now without jank?
,
Sep 18
It's still broken in 69 and Canary. The bisect still points to the same CL. Expected: the balloon slowly moves at its initial position. Observed: the balloon position is reset every second to the bottom of the viewport.
,
Sep 18
What is the purpose of
for (var k = 0; k < 10000000; k++)
var blahblahblah = 100 * 312;
It does not seem to do anything except looping?
,
Sep 18
Hm, tight loop like that could mean an OSR issue. I don't have time to take this on at the moment, but that would be my first guess.
,
Sep 18
I've tried commenting out or deleting these two lines and I still see the bug. Used a locally edited version served via Requestly extension instead of https://www.blend4web.com/tmp/blend4web_ce/src/data.js This reminds me of those bug reports where seemingly irrelevant changes to the code produce/hide some bug. Might be helpful to do a bisect prior to I+TF was shipped but I don't know how to force-enable it in older builds.
,
Sep 18
Try running older builds with "--ignition --turbo". It would also be helpful to figure out which function(s?) have incorrect data, by e.g. printing inputs and/or return values with console.log and diffing them. I realise that's somewhat of a tough request though. How do other browsers behave?
,
Sep 18
re 13 part a: Bisect info: 410370 (good) - 410383 (bad) https://chromium.googlesource.com/chromium/src/+log/9d009539..ba4eb17e?pretty=fuller Suspecting r410383 "Update V8 to version 5.4.373" Landed in 54.0.2824.0 V8 log: https://chromium.googlesource.com/v8/v8/+log/d4fa8ea7..d67f12f7 There are only two TF commits but it might be helpful if someone does a per-revision bisect of V8. Notes: * Used the original page code. * Command line: --js-flags="--ignition --turbo" * In these old builds the balloon appears after a ~15sec pause. re 13 part b: that's probably up to the reporter.
,
Sep 18
Stab in the dark would be https://codereview.chromium.org/2220973002 and some sort of weird incorrect NaN behaviour. Does the issue repro with "--no-opt"? Might have to use "--no-crankshaft" for older builds.
,
Sep 18
Cool, looks like a TurboFan issue then, assigning to jarin@ for further investigation. +ahaas: your CL came up in a bisect of this issue.
,
Sep 20
The NextAction date has arrived: 2018-09-20 |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by woxxom@gmail.com
, Sep 7 2017