Comment #7 on issue 2779 by [email protected]: Frozenness ignored by
optimized ++/--
http://code.google.com/p/v8/issues/detail?id=2779
It also fails in strict mode, it's just a bit trickier to trigger given
that the ++ operator throws. In the following modified version I trigger
optimization using OSR in the third iteration (after the 2 cycles required
to gather typefeedback in the IC for o.x). It returns 6 rather than the
expected 5:
(function() { "use strict";
function f(o, i) {
if (i == 3) {
for (var j = 0; j < 100000; j++) {
}
}
o.x++;
}
return (function() {
var o = {x: 5};
Object.freeze(o);
for (var i = 0; i < 4; i++) {try { f(o, i); } catch (e) {} }
return o.x;
})();
})();
The bug is that the ++ operator ignores the type feedback from the
assignment (o.x=), and just takes the feedback from the read (o.x).
Fast-mode Object.freeze is designed so that store ICs for assignments to
frozen objects are never generated in the first place. Hence crankshaft
shouldn't see any type feedback for stores on frozen objects, and doesn't
need to handle such feedback for frozen objects. However, given that we get
feedback to the store coming from recorded types in a load-IC, we do end up
invalidly generating a fast-mode store; without checking for frozenness.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
