Issue metadata
Sign in to add a comment
|
CHECK failure: TypeError: node #28:JSToNumber type Numeric is not Number in verifier.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5085453708165120 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: TypeError: node #28:JSToNumber type Numeric is not Number in verifier.cc v8::internal::compiler::Verifier::Visitor::CheckTypeIs v8::internal::compiler::Verifier::Visitor::Check Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55555:55556 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5085453708165120 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 2
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/e034c1ad9c44b146cd9b4fed54a900b2e4845976 ([turbofan] ToNumeric(x) does ToNumber(x) for all non-BigInt primitives.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Sep 2
,
Sep 2
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 3
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
ClusterFuzz has detected this issue as fixed in range 55594:55595. Detailed report: https://clusterfuzz.com/testcase?key=5085453708165120 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: TypeError: node #28:JSToNumber type Numeric is not Number in verifier.cc v8::internal::compiler::Verifier::Visitor::CheckTypeIs v8::internal::compiler::Verifier::Visitor::Check Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55555:55556 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55594:55595 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5085453708165120 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 4
ClusterFuzz testcase 5085453708165120 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 4
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Sep 4
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b89811227717381e7d50d03cf19fca00f39cc3aa commit b89811227717381e7d50d03cf19fca00f39cc3aa Author: Benedikt Meurer <bmeurer@chromium.org> Date: Mon Sep 03 19:14:09 2018 [turbofan] Improve typing of ToNumeric and ToNumber. The previous typing rules for ToNumeric and ToNumber didn't match on the NonBigIntPrimitive input set, which causes trouble when we morph ToNumeric nodes into ToNumber nodes, and generally lead to worse typings in the graph, and thus worse code generation. This change improves the existing typing rules and turns ToNumber into a chokepoint again. Bug: chromium:879898 , v8:8015 Change-Id: I4a7ff0e9c420c5dcfdb2b96884e019a5943828a4 Reviewed-on: https://chromium-review.googlesource.com/1201522 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55595} [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.cc [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/operation-typer.h [modify] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/src/compiler/types.h [add] https://crrev.com/b89811227717381e7d50d03cf19fca00f39cc3aa/test/mjsunit/regress/regress-crbug-879898.js
,
Dec 11
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 2Labels: Test-Predator-Auto-Components