A bit more info, it looks like it could be related to this code in
src/builtins.cc
bool is_arguments_object_with_fast_elements =
receiver->IsJSObject()
&& JSObject::cast(receiver)->map() == arguments_map
&& JSObject::cast(receiver)->HasFastElements();
If I force the slow path by setting
is_arguments_object_with_fast_elements to false, then I do not see the
misbehaviour.
It looks like that code was added at r6096, so that would be plausible.
I guess perhaps it's something I'm doing to an arguments that then
gets passed on, but I haven't found exactly what yet.
scott
On Thu, Dec 30, 2010 at 6:15 PM, Scott Graham <[email protected]> wrote:
> Hi Anton,
>
> Sorry for not being more clear. It's not trivially reproducible, but I
> haven't had a chance to narrow it down yet.
>
> I've attached a very large test case that does cause the failure (at
> least on my machine). Run as "d8 --debugger slice-failure.js", and d8
> was built via "scons mode=release console=readline d8". I've seen it
> on darwin and linux x64.
>
> Perhaps you have some tools to reduce the code or you'll be able to
> see what's wrong more easily than me. If you aren't able to figure out
> what's wrong, I will try to work out a more minimal test case next
> week.
>
> scott
>
>
> On Thu, Dec 30, 2010 at 10:46 AM, Anton Muhin <[email protected]> wrote:
>> Scott,
>>
>> may you give a proper case showing what goes wrong?
>>
>> I've tried:
>>
>> 1 function f(a) {
>> 2 return Array.prototype.slice.call(arguments, 2);
>> 3 }
>> 4
>> 5 print(f().length);
>> 6 print(f('a').length);
>> 7 print(f('a', 'b').length);
>> 8 print(f('a', 'b', 'c').length);
>>
>> And results seem fine.
>>
>> yours,
>> anton.
>>
>> On Thu, Dec 30, 2010 at 9:40 PM, Anton Muhin <[email protected]> wrote:
>>> Scott,
>>>
>>> that's most probably my fault, I'll have a look and report back soon.
>>> Thanks a lot for reporting it!
>>>
>>> yours,
>>> anton.
>>>
>>> On Thu, Dec 30, 2010 at 9:28 PM, Scott Graham <[email protected]> wrote:
>>>> Hi
>>>>
>>>> I'm seeing strange behaviour on an Array.prototype.slice.call starting
>>>> at r6096. That change was quite large so I haven't tracked down the
>>>> cause yet.
>>>>
>>>> The user code is doing
>>>>
>>>> Array.prototype.slice.call(arguments, 2)
>>>>
>>>> where the length of arguments is 1. At r6096, the returned array has a
>>>> length of 17, with all values as null. Calling it as
>>>>
>>>> Array.prototype.slice.call(arguments, 2, arguments.length)
>>>>
>>>> works as expected (length 0), and it works properly <= r6095 either
>>>> way.
>>>>
>>>> Unfortunately, the obvious test case does not exhibit the broken
>>>> behaviour, so I guess there's some bad stuff happening.
>>>>
>>>> Any ideas on how to track down what's causing this? (I'm running via
>>>> d8).
>>>>
>>>> --
>>>> v8-users mailing list
>>>> [email protected]
>>>> http://groups.google.com/group/v8-users
>>>>
>>>
>>
>> --
>> v8-users mailing list
>> [email protected]
>> http://groups.google.com/group/v8-users
>
--
v8-users mailing list
[email protected]
http://groups.google.com/group/v8-users
