New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 835347 link

Starred by 8 users
Status: Fixed
Owner:
sigurds@chromium.org
Closed: Apr 2018
Cc:
bmeu...@chromium.org
manoranj...@chromium.org
hablich@chromium.org
susan.boorgula@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Array splice performance horrendously degraded in chrome 66

Reported by gmur...@gmail.com, Apr 20 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36

Steps to reproduce the problem:
1. go here: https://stackblitz.com/edit/angular-26whgr?file=app%2Fcategory-chart%2Fhigh-frequency%2Fcategory-chart-high-frequency-sample.component.ts
2. change the data slider to something like 500,000 points
3. hit change data.

What is the expected behavior?
measured fps should remain high.

What went wrong?
framerate drops due to a performance regression in Array.splice. Astronomical amounts of time seem to be spent in ArraySpliceFallback. This was not the case just a few days ago before a chrome update.

Did this work before? Yes Not sure... some 65 version?

Chrome version: 66.0.3359.117  Channel: stable
OS Version: 10.0
Flash Version: 

This absolutely destroys array performance for Chrome. There are all sorts of broken scenarios in our product as a result. Would appreciate swift rollback of the problem logic. All other browsers perform well in these scenarios.

Comment 1 by gmur...@gmail.com, Apr 20 2018 

I think the specific op that is slow is splicing the 0th index of a large array:

array.splice(0, 1);

Comment 2 by m3r...@gmail.com, Apr 21 2018 

We're also seeing this, and it's causing significant performance issues with our website (which heavily uses VueJS componenets).  It appears to us as well that it's an issue with array.splice() / ArraySpliceFallback.

Chrome 65 is fine, as are all other browsers aside from Chrome 66.

Comment 3 by woxxom@gmail.com, Apr 21 2018 

The bug apparently affects nonpure arrays (i.e. with non-numeric properties).

Bisected to bc2a8458f460a218db97466605930fafac6673c7 "Update V8 to version 6.6.34."
V8 log: https://chromium.googlesource.com/v8/v8/+log/0ac874e7..260f54b2?pretty=fuller

In V8 log suspecting 79e91f0c145f7f0a2d65416f90c8bf44c91a60c0 
"[builtins] Extend the @@species protector to guard Promises"
Landed in 66.0.3330.0

Comment 4 by susan.boorgula@chromium.org, Apr 22 2018

Labels: Needs-Bisect Needs-Triage-M66

Comment 5 by susan.boorgula@chromium.org, Apr 23 2018

Cc: manoranj...@chromium.org susan.boorgula@chromium.org
Labels: -Pri-2 -Needs-Bisect ReleaseBlock-Stable RegressedIn-66 FoundIn-67 M-66 Target-67 Target-66 FoundIn-66 FoundIn-68 Target-68 Triaged-ET hasbisect OS-Linux OS-Mac Pri-1
Owner: bmeu...@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce this issue on Windows 10, Mac OS 10.12.6 and Ubuntu 17.10 on the latest Canary 68.0.3403.0 and latest Stable 66.0.3359.117 as per the original comment.

Bisect Information:
===================
Good Build: 66.0.3329.0 (Revision - 531127)
Bad Build : 66.0.3330.0 (Revision - 531403)

As per comment #3, the CL which caused this issue is 
Reviewed-on: https://chromium-review.googlesource.com/880681

bmeurer@ Please check and confirm if this issue is related to your change, else help us in assigning to the right owner.
Adding ReleaseBlock-Stable as this is a recent regression. Please feel free to remove the same if it is not applicable.

Thanks.

Comment 6 by bmeu...@chromium.org, Apr 23 2018

Cc: bmeu...@chromium.org
Components: -Blink Blink>JavaScript
Owner: sigurds@chromium.org

Comment 7 by stevestevensonneds@gmail.com, Apr 23 2018 

Also seeing terrible performance with array size >= 63391. Especially with objects.

Firefox 59 Linux & Windows 10: <= 4 ms
Chrome  66.0.3359.117 Linux & Windows 10: > 25000 ms

See attachment
index.html
856 bytes View Download

Comment 8 by sigurds@chromium.org, Apr 23 2018 

We have identified the root cause of the original issue and are currently testing a fix.

The cause of this regression is that we have a common species protector for Array, TypedArray, and Promise; this protector gets invalidated if the corresponding constructor/prototype was modified. Several fast-paths, which require unmodified constructors of either Array, TypedArray or Promise, depend on this protector being valid.

This means that in M66, if someone modifies the Promise constructor, then also Array builtins (in this case Array.p.splice) fall off the fast-path.
Project Member

Comment 9 by bugdroid1@chromium.org, Apr 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5728b3fbc5ba762db48951dda45f67b74e514ab9

commit 5728b3fbc5ba762db48951dda45f67b74e514ab9
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Mon Apr 23 14:54:46 2018

[builtins] Separate species protectors for Array, TypedArray, Promise

Previously, there was one species protector for Array, TypedArray and
Promise. This CL splits the protector in three separate ones. This means
that invalidating one of them does not have negative performance
implications for the other ones.

Bug:  chromium:835347 , v8:7340
Change-Id: Id84aa0071f17096192965264eb60ddadd1e8e73f
Reviewed-on: https://chromium-review.googlesource.com/1023408
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52733}
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/builtins/array.tq
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/builtins/base.tq
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/builtins/builtins-array.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/builtins/builtins-promise-gen.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/builtins/builtins-typed-array-gen.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/code-stub-assembler.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/code-stub-assembler.h
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/heap/heap.h
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/heap/setup-heap-internal.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/isolate-inl.h
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/isolate.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/isolate.h
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/lookup.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/objects.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/runtime/runtime-array.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/runtime/runtime-test.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/src/runtime/runtime.h
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/cctest/test-typedarrays.cc
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-constructor-accessor.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-constructor-delete.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-constructor.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-delete.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-modified.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-parent-constructor.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/es6/array-species-proto.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/harmony/regexp-named-captures.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/test/mjsunit/keyed-store-generic.js
[modify] https://crrev.com/5728b3fbc5ba762db48951dda45f67b74e514ab9/tools/v8heapconst.py

Comment 10 by sigurds@chromium.org, Apr 23 2018 

@stevestevensonneds@gmail.com:

Your test-case does not trigger the original issue. The performance cliff you are running in to is due to a fast-path for left-trimming (arr.slice(0, 1)) in V8. If you change your example to use .slice(1, 1), performance will degrade for arrays shorter than 63391 as well.

The significance of 63391 is that at that array length, V8 allocates in large object space, where the left-trimming fast-path is currently not available.

Comment 11 by gmur...@gmail.com, Apr 23 2018 

BTW, note, shift() does not trigger the same degradation as splice(0, 1)
Project Member

Comment 12 by bugdroid1@chromium.org, Apr 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/75e282342cd85a67e26520069536282185cf71c8

commit 75e282342cd85a67e26520069536282185cf71c8
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Mon Apr 23 15:48:07 2018

Revert "[builtins] Separate species protectors for Array, TypedArray, Promise"

This reverts commit 5728b3fbc5ba762db48951dda45f67b74e514ab9.

Reason for revert: Breaks noi18n build

Original change's description:
> [builtins] Separate species protectors for Array, TypedArray, Promise
> 
> Previously, there was one species protector for Array, TypedArray and
> Promise. This CL splits the protector in three separate ones. This means
> that invalidating one of them does not have negative performance
> implications for the other ones.
> 
> Bug:  chromium:835347 , v8:7340
> Change-Id: Id84aa0071f17096192965264eb60ddadd1e8e73f
> Reviewed-on: https://chromium-review.googlesource.com/1023408
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52733}

TBR=sigurds@chromium.org,bmeurer@chromium.org

Change-Id: Ied8b436e7991c759eb3b98702c142aa127a7e63c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:835347 , v8:7340
Reviewed-on: https://chromium-review.googlesource.com/1024151
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52736}
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/builtins/array.tq
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/builtins/base.tq
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/builtins/builtins-array.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/builtins/builtins-promise-gen.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/builtins/builtins-typed-array-gen.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/code-stub-assembler.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/code-stub-assembler.h
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/heap/heap.h
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/heap/setup-heap-internal.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/isolate-inl.h
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/isolate.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/isolate.h
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/lookup.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/objects.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/runtime/runtime-array.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/runtime/runtime-test.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/src/runtime/runtime.h
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/cctest/test-typedarrays.cc
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-constructor-accessor.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-constructor-delete.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-constructor.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-delete.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-modified.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-parent-constructor.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/es6/array-species-proto.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/harmony/regexp-named-captures.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/test/mjsunit/keyed-store-generic.js
[modify] https://crrev.com/75e282342cd85a67e26520069536282185cf71c8/tools/v8heapconst.py
Project Member

Comment 13 by bugdroid1@chromium.org, Apr 23 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/30be4797117223a4d8d49dbfaafa63e1e919901c

commit 30be4797117223a4d8d49dbfaafa63e1e919901c
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Mon Apr 23 17:52:50 2018

Reland "[builtins] Separate species protectors for Array, TypedArray, Promise"

This is a reland of 5728b3fbc5ba762db48951dda45f67b74e514ab9

Original change's description:
> [builtins] Separate species protectors for Array, TypedArray, Promise
> 
> Previously, there was one species protector for Array, TypedArray and
> Promise. This CL splits the protector in three separate ones. This means
> that invalidating one of them does not have negative performance
> implications for the other ones.
> 
> Bug:  chromium:835347 , v8:7340
> Change-Id: Id84aa0071f17096192965264eb60ddadd1e8e73f
> Reviewed-on: https://chromium-review.googlesource.com/1023408
> Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#52733}

Bug:  chromium:835347 , v8:7340
Change-Id: I0c0188a0723e206ddb362834bcf872b23cd7666d
Reviewed-on: https://chromium-review.googlesource.com/1023811
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52742}
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/builtins/array.tq
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/builtins/base.tq
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/builtins/builtins-array.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/builtins/builtins-promise-gen.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/builtins/builtins-typed-array-gen.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/code-stub-assembler.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/code-stub-assembler.h
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/heap/heap.h
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/heap/setup-heap-internal.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/isolate-inl.h
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/isolate.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/isolate.h
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/lookup.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/objects.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/runtime/runtime-array.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/runtime/runtime-test.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/src/runtime/runtime.h
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/cctest/test-typedarrays.cc
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-constructor-accessor.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-constructor-delete.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-constructor.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-delete.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-modified.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-parent-constructor.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/es6/array-species-proto.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/harmony/regexp-named-captures.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/test/mjsunit/keyed-store-generic.js
[modify] https://crrev.com/30be4797117223a4d8d49dbfaafa63e1e919901c/tools/v8heapconst.py

Comment 14 by gov...@chromium.org, Apr 25 2018

Labels: M-67

Comment 15 by hablich@chromium.org, Apr 26 2018

Labels: Merge-Review-66
Regressing Array builtins is suboptimal. We should merge this back when we have more (preferably dev/beta) coverage even if the merge is more involved.

Comment 16 by sigurds@chromium.org, Apr 26 2018

Labels: Merge-Request-67
We also should merge this to M67. I can do the back-merge once approved (once we have some more canary coverage).
Project Member

Comment 17 by sheriffbot@chromium.org, Apr 26 2018

Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 18 by hablich@chromium.org, Apr 26 2018

Labels: -Merge-Review-67 Merge-Approved-67
Please also set this bug to fixed.

Comment 19 by sigurds@chromium.org, Apr 26 2018

Status: Fixed (was: Assigned)

Comment 20 by gov...@chromium.org, Apr 26 2018 

Pls merge your change to M67 branch 3396 ASAP so we can pick it up for next M67 Dev/Beta release. Thank you.
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 26 2018

Labels: merge-merged-6.7
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d

commit 2eb23a17cc9af7fb9c7a64d0c9c794772642d77d
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Thu Apr 26 17:01:03 2018

Version 6.7.288.19 (cherry-pick)

Merged a2126f027128df6144d83db09cd841799c6b73dd

Reland "[builtins] Separate species protectors for Array, TypedArray, Promise"

TBR=bmeurer@chromium.org, hablich@chromium.org

Bug:  chromium:835347 
Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng
Change-Id: Id2ff04fb9e923ae6532d8800c2d9c770cfd945a9
Reviewed-on: https://chromium-review.googlesource.com/1030553
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.7@{#36}
Cr-Branched-From: 8457e810efd34381448d51d93f50079cf1f6a812-refs/heads/6.7.288@{#2}
Cr-Branched-From: e921be5c4f2c6407936bde750992dedbf47c1016-refs/heads/master@{#52547}
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/include/v8-version.h
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/builtins/builtins-array-gen.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/builtins/builtins-array.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/builtins/builtins-promise-gen.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/builtins/builtins-typedarray-gen.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/code-stub-assembler.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/code-stub-assembler.h
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/heap/heap.h
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/heap/setup-heap-internal.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/isolate-inl.h
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/isolate.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/isolate.h
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/lookup.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/objects.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/runtime/runtime-array.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/runtime/runtime-test.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/src/runtime/runtime.h
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/cctest/test-typedarrays.cc
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-constructor-accessor.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-constructor-delete.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-constructor.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-delete.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-modified.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-parent-constructor.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/es6/array-species-proto.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/harmony/regexp-named-captures.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/test/mjsunit/keyed-store-generic.js
[modify] https://crrev.com/2eb23a17cc9af7fb9c7a64d0c9c794772642d77d/tools/v8heapconst.py

Comment 22 by gov...@chromium.org, Apr 26 2018

Labels: -Merge-Approved-67
This is already merged to M67 at #21. Hence, removing "Merge-Approved-67" label.

Comment 23 by sigurds@chromium.org, May 2 2018

Labels: Merge-Request-66
This should be merged to M66 once we are satisfied with M67 beta coverage.

Comment 24 by abdulsyed@chromium.org, May 2 2018 

Please note that there aren't any respins planned for M66.

Comment 25 by abdulsyed@chromium.org, May 7 2018

Cc: hablich@chromium.org
+ hablich - my preference is to wait until M67 for this fix (only 3 weeks away). Thoughts?

Comment 26 by hablich@chromium.org, May 8 2018

Labels: -Merge-Request-66 Merge-Rejected-66
Let's wait for 67. We would need a new patch for 66 and thus it would be untested.

Comment 27 by abdulsyed@chromium.org, May 8 2018

Labels: -Merge-Review-66

Sign in to add a comment