New issue
Advanced search Search tips

Issue 867630 link

Starred by 3 users
Status: Assigned
Owner:
verwa...@chromium.org
Cc:
bmeu...@chromium.org
neis@chromium.org
ishell@chromium.org
verwa...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Typed Array [[Set]] not correctly handled on proto chain

Reported by evilp...@googlemail.com, Jul 25 
UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce the problem:
function f() {
    var x = [1,2,3,4];
    x[4] = 0;
    console.log("FOO: " + x);
}
Object.setPrototypeOf(Array.prototype, new Int8Array(4));
f();
f();

What is the expected behavior?
Prints "FOO: 1,2,3,4" twice

What went wrong?
V8 prints first "FOO: 1,2,3,4" and then "FOO: 1,2,3,4,0" !

Did this work before? N/A 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: 
Flash Version: 

Issue found by André Bargull while investigating https://bugzilla.mozilla.org/show_bug.cgi?id=1473523

Comment 1 by woxxom@gmail.com, Jul 25 

Bisected to r531679 "Update V8 to version 6.6.61."
Landed in 66.0.3331.0

In V8 log tentatively suspecting 181ac2b0dcb18bc22fd119b5e228ed86b8337dc6
"[ic] Improve performance of KeyedStoreIC on literal-based arrays."

Comment 2 by vamshi.kommuri@chromium.org, Jul 26

Labels: Needs-Milestone

Comment 3 by tkent@chromium.org, Jul 30

Components: -Blink Blink>JavaScript

Comment 4 by krajshree@chromium.org, Aug 1

Labels: -Type-Bug -Pri-2 Triaged-ET Target-69 Target-70 M-70 FoundIn-70 FoundIn-69 RegressedIn-66 FoundIn-68 Target-68 OS-Mac OS-Windows Pri-1 Type-Bug-Regression
Owner: neis@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce the issue on Windows 10, mac 10.13.3 and Ubuntu 17.10 using chrome latest stable #68.0.3440.75 and latest canary #70.0.3508.0.

Bisect Information:
=====================
Good build: 66.0.3330.0
Bad Build : 66.0.3331.0

As per comment #1, suspecting below change
Change-Id: I6a15e8c1ff8d4ad4d5b8fc447745dce5d146c67c
Reviewed-on: https://chromium-review.googlesource.com/876014

neis@ - Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks...!!

Comment 5 by neis@chromium.org, Aug 1

Cc: bmeu...@chromium.org ishell@chromium.org
Labels: -Pri-1 Pri-2
Thanks for the report. The bug exists already before my change, as
demonstrated by a variant of the example where "[1,2,3,4]" is replaced
by "[1,2,3,4].slice()". I suspect it has been around for a long time.

Comment 6 by woxxom@gmail.com, Aug 1 

re #c5: since at least Chrome 30, indeed.
It changed in r334361 (M-45): https://chromium.googlesource.com/v8/v8/+log/c292930e..5105add5?pretty=fuller
Before that the modified script produced 1,2,3,4,0 two times, after that the output is same as in modern builds.
In r334361 changelog 89b9a2cfb317e52186f682c91502b22932d52db3 might be related.

Here's the modified script with __proto__ assignment for the ancient Chromium builds.

    function f() {
        var x = [1,2,3,4].slice();
        x[4] = 0;
        console.log(String(x));
    }
    Array.prototype.__proto__ = new Int8Array(4);
    f();
    f();

Comment 7 by neis@chromium.org, Aug 2

Cc: neis@chromium.org
Components: -Blink>JavaScript Blink>JavaScript>Runtime
Owner: verwa...@chromium.org
Assigning to the IC experts.

Sign in to add a comment