I haven't yet managed to figure out a smaller reproduction case, but running the code in production seems to reproduce the bug with ease. I can confirm that the bug does not occur if I run with `--no-maglev`. I looked at the various maglev flags available to see if I could further narrow it down. The first one I tried also seemed to stop it from occurring: `--no-maglev-inlining`. This is all with 12.2. I should be able to try with 12.4 soon.
On Monday, July 29, 2024 at 8:19:40 AM UTC-4 [email protected] wrote: > Sounds weird (and interesting)! > > You could try disabling optimization tiers, so we see whether the bug > occurs when we tier up to some of the optimization tiers. > > You can run d8 with: > --no-maglev --no-turbofan > or > --no-turbofan > and use "--js-flags=--no-maglev --no-turbofan" etc. when running with > Chrome. > > (And for completeness: --no-sparkplug --no-maglev --no-turbofan for > disabling the lowest-after-interpreter tier too, although it would be weird > if this bug was there.) > > You can also pass --trace-opt --trace-deopt-verbose to get a printout when > the tierup occurs, and see whether things start going wrong right after. > > > > On Fri, Jul 26, 2024 at 10:07 PM Daryl Haresign <[email protected]> > wrote: > >> I have evidence of what I would call an impossibility, but it's supported >> by explicit logs that came out of running code, so I'm going to believe the >> logs. This is from v8 12.2, so I'm interested to know whether a) anyone >> has seen anything like this, b) whether there have been any recent fixes in >> this space, c) if not whether anyone knows what might be up. >> >> Thanks, >> Daryl. >> >> Code (not the exact code, but functionally equivalent): >> function f(blob) { >> let logs = []; >> let bits = 0; >> >> function e() { >> bits -= 6; >> logs.push(`e(), bits = ${bits}`); >> } >> >> blob.bytes() // native function that returns an array of integers >> .forEach(function (byte) { >> logs.push(`bytes forEach #0, bits = ${bits}`); >> bits += 8; >> logs.push(`bytes forEach #1, bits = ${bits}`); >> e(); >> logs.push(`bytes forEach #2, bits = ${bits}`); >> if (6 <= bits) { >> logs.push(`bytes forEach #3, bits = ${bits}`); >> e(); >> logs.push(`bytes forEach #4, bits = ${bits}`); >> } >> }); >> >> console.log(logs); >> } >> >> and the logs look like: >> <many occurrences where everything is fine> >> bytes forEach #0, bits = 4 >> bytes forEach #1, bits = 12 >> e(), bits = 6 >> bytes forEach #2, bits = 6 >> bytes forEach #3, bits = 6 >> e(), bits = 0 >> bytes forEach #4, bits = 0 >> bytes forEach #0, bits = 0 >> bytes forEach #1, bits = 8 >> e(), bits = 2 >> bytes forEach #2, bits = 8 // <- STALE READ!! >> bytes forEach #3, bits = 8 // <- STALE READ!! >> e(), bits = -4 // <- CORRECT READ >> bytes forEach #4, bits = -4 // <- CORRECT READ >> bytes forEach #0, bits = -4 // <- CORRECT READ >> bytes forEach #1, bits = 4 // <- CORRECT READ >> e(), bits = -2 // <- CORRECT READ >> bytes forEach #2, bits = 4 // <- STALE READ!! >> bytes forEach #0, bits = -2 // <- CORRECT READ >> bytes forEach #1, bits = 6 // <- CORRECT READ >> e(), bits = 0 // <- CORRECT READ >> bytes forEach #2, bits = 6 // <- STALE READ!! >> bytes forEach #3, bits = 6 // <- STALE READ!! >> e(), bits = -6 // <- CORRECT READ >> bytes forEach #4, bits = -6 // <- CORRECT READ >> <from this point, logs #2 and #3 are stale every iteration> >> >> -- >> > -- >> v8-dev mailing list >> [email protected] >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/681a3f93-83be-48c9-ae07-55db28509b9fn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/v8-dev/681a3f93-83be-48c9-ae07-55db28509b9fn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > > > Google Germany GmbH > > Erika-Mann-Straße 33 > > 80636 München > > Geschäftsführer: Paul Manicle, Liana Sebastian. > > Registergericht und -nummer: Hamburg, HRB 86891 > > Sitz der Gesellschaft: Hamburg > > Diese E-Mail ist vertraulich. Falls sie diese fälschlicherweise erhalten > haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, > löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, > dass die E-Mail an die falsche Person gesendet wurde. > > > > This e-mail is confidential. If you received this communication by > mistake, please don't forward it to anyone else, please erase all copies > and attachments, and please let me know that it has gone to the wrong > person. > -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/1d3f0828-2256-43b9-99fc-7f45a8d51ba6n%40googlegroups.com.
