mutation during spread operator (32bit: wrong, 64bit: ok)
Reported by
thec...@gmail.com,
Nov 2
|
|||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Steps to reproduce the problem:
// Example
function test() {
for (const area of [{x: 1.1}, {x: 2}]) {
const x0 = area.x
const zArea = {
...area,
x: x0 + 1,
}
if (x0 !== area.x) {
console.log('FAIL: %o => %o', x0, area.x)
}
}
}
test()
What is the expected behavior?
Should not log a FAIL
What went wrong?
Does log a FAIL
Did this work before? N/A
Chrome version: 70.0.3538.77 Channel: stable
OS Version: 10.0
Flash Version:
Does also work if there are only integer x's.
64bit is ok.
32bit build (https://portableapps.com/apps/internet/google_chrome_portable) fails.
,
Nov 2
Ok, although the example works in 64bit mode, my original code (uses the same pattern) does not. I can prevent the mutation with a pretty costly cloneDeep, so I think it's also buggy in 64bit.
,
Nov 4
,
Nov 5
Tried testing the issue on reported chrome version #70.0.3538.77 using Windows10(64-bit) and Windows7(64-bit), observed no failure in the console after pasting the code snippet in comment#0. The issue seems to be specific to 32-bit Windows OS. Hence requesting someone from Inhouse team to look into the issue, tentatively adding TE-NeedsTriageFromHYD label. Thanks.!
,
Nov 5
TE, it's not specific to 32-bit OS. It's specific to 32-bit Chrome. You should be able to specify the architecture in your bisect script parameters e.g. -a win
,
Nov 5
,
Nov 5
,
Nov 5
,
Nov 5
,
Nov 5
Should this bug be moved over to v8 issue tracker?
,
Nov 5
I'm looking at this now
,
Nov 5
comment #10: Just tagged this issue with the right component. comment #11: thanks!
,
Nov 5
I'm testing this on ToT --- I see the same failures, however it doesn't seem to be related to the CloneObjectIC stub (the source object and result objects both have the expected field values at the end of the handler). I'll continue to dig into this, though
,
Nov 7
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bf84766a2cd3e09070adcd6228a3a487c8dc4bbd commit bf84766a2cd3e09070adcd6228a3a487c8dc4bbd Author: Caitlin Potter <caitp@igalia.com> Date: Wed Nov 07 03:15:45 2018 [CloneObjectIC] clone MutableHeapNumbers instead of referencing them Adds a helper macro "CloneIfMutablePrimitive", which tests if the operand is a MutableHeapNumber, and if so, clones it, otherwise returning the original value. Also modifies the signature of "CopyPropertyArrayValues" to take a "DestroySource" enum, indicating whether or not the resulting object is supplanting the source object or not, and removes all default parameters from that macro (which were not used anyways). This corrects the issue reported in chromium:901301, where StaNamedOwnProperty was replacing the value of a MutableHeapNumber referenced by both the cloned object and the source object. BUG=chromium:901301, v8:7611 R=cbruni@chromium.org, jkummerow@chromium.org Change-Id: I43df1ddc84dfa4840e680b6affeba452ce0b6629 Reviewed-on: https://chromium-review.googlesource.com/c/1318096 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#57304} [modify] https://crrev.com/bf84766a2cd3e09070adcd6228a3a487c8dc4bbd/src/code-stub-assembler.cc [modify] https://crrev.com/bf84766a2cd3e09070adcd6228a3a487c8dc4bbd/src/code-stub-assembler.h [modify] https://crrev.com/bf84766a2cd3e09070adcd6228a3a487c8dc4bbd/src/ic/accessor-assembler.cc [modify] https://crrev.com/bf84766a2cd3e09070adcd6228a3a487c8dc4bbd/test/mjsunit/es9/object-spread-ic.js
,
Nov 8
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3e010af274088493f3485d7a16dec4e31550e876 commit 3e010af274088493f3485d7a16dec4e31550e876 Author: Caitlin Potter <caitp@igalia.com> Date: Thu Nov 08 19:14:11 2018 [CloneObjectIC] clone MutableHeapNumbers only if !FLAG_unbox_double_fields Change the macros added in bf84766a2cd3e09070adcd6228a3a487c8dc4bbd to only do the hard work if FLAG_unbox_double_fields is unset (otherwise, they will attempt to dereference raw float64s, which is bad!) Also adds a write barrier in CopyPropertyArrayValues for each store if it's possible that a MutableHeapNumber is cloned. BUG=chromium:901301, chromium:902965 , chromium:903070, v8:7611 R=cbruni@chromium.org, jkummerow@chromium.org, ishell@chromium.org Change-Id: I224d3c4e7b0a887684bff68985b4d97021ba4cfb Reviewed-on: https://chromium-review.googlesource.com/c/1323911 Commit-Queue: Caitlin Potter <caitp@igalia.com> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#57368} [modify] https://crrev.com/3e010af274088493f3485d7a16dec4e31550e876/src/builtins/builtins-constructor-gen.cc [modify] https://crrev.com/3e010af274088493f3485d7a16dec4e31550e876/src/code-stub-assembler.cc [modify] https://crrev.com/3e010af274088493f3485d7a16dec4e31550e876/src/ic/accessor-assembler.cc [add] https://crrev.com/3e010af274088493f3485d7a16dec4e31550e876/test/mjsunit/es9/regress/regress-902965.js [add] https://crrev.com/3e010af274088493f3485d7a16dec4e31550e876/test/mjsunit/es9/regress/regress-903070.js
,
Nov 9
,
Nov 21
Issue 907030 has been merged into this issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by woxxom@gmail.com
, Nov 2