Scott, I've got a reduction---it's due to missing argument assignment which manipulates internals of arguments object. And that made me think and spot more troubles with the optimization I implemented (I'm cc'ing you on a change list which should fix it). Once again thanks a lot for spotting this. And happy NY.
On Fri, Dec 31, 2010 at 5:39 AM, Scott Graham <[email protected]> wrote: > A bit more info, it looks like it could be related to this code in > src/builtins.cc > > bool is_arguments_object_with_fast_elements = > receiver->IsJSObject() > && JSObject::cast(receiver)->map() == arguments_map > && JSObject::cast(receiver)->HasFastElements(); > > If I force the slow path by setting > is_arguments_object_with_fast_elements to false, then I do not see the > misbehaviour. > > It looks like that code was added at r6096, so that would be plausible. Just FYI. Development of v8 is carried on bleeding_edge branch and twice a week recent changes are brought to the trunk. Hence r6096 you're referring to just brought recent work from the bleeding edge branch to the trunk. The actual commit to blame is http://code.google.com/p/v8/source/detail?r=6085 But yes, you're right, it's all about optimization for arguments object slicing I'd added recently. yours, anton. > On Thu, Dec 30, 2010 at 6:15 PM, Scott Graham <[email protected]> wrote: >> Hi Anton, >> >> Sorry for not being more clear. It's not trivially reproducible, but I >> haven't had a chance to narrow it down yet. >> >> I've attached a very large test case that does cause the failure (at >> least on my machine). Run as "d8 --debugger slice-failure.js", and d8 >> was built via "scons mode=release console=readline d8". I've seen it >> on darwin and linux x64. >> >> Perhaps you have some tools to reduce the code or you'll be able to >> see what's wrong more easily than me. If you aren't able to figure out >> what's wrong, I will try to work out a more minimal test case next >> week. >> >> scott >> >> >> On Thu, Dec 30, 2010 at 10:46 AM, Anton Muhin <[email protected]> wrote: >>> Scott, >>> >>> may you give a proper case showing what goes wrong? >>> >>> I've tried: >>> >>> 1 function f(a) { >>> 2 return Array.prototype.slice.call(arguments, 2); >>> 3 } >>> 4 >>> 5 print(f().length); >>> 6 print(f('a').length); >>> 7 print(f('a', 'b').length); >>> 8 print(f('a', 'b', 'c').length); >>> >>> And results seem fine. >>> >>> yours, >>> anton. >>> >>> On Thu, Dec 30, 2010 at 9:40 PM, Anton Muhin <[email protected]> wrote: >>>> Scott, >>>> >>>> that's most probably my fault, I'll have a look and report back soon. >>>> Thanks a lot for reporting it! >>>> >>>> yours, >>>> anton. >>>> >>>> On Thu, Dec 30, 2010 at 9:28 PM, Scott Graham <[email protected]> wrote: >>>>> Hi >>>>> >>>>> I'm seeing strange behaviour on an Array.prototype.slice.call starting >>>>> at r6096. That change was quite large so I haven't tracked down the >>>>> cause yet. >>>>> >>>>> The user code is doing >>>>> >>>>> Array.prototype.slice.call(arguments, 2) >>>>> >>>>> where the length of arguments is 1. At r6096, the returned array has a >>>>> length of 17, with all values as null. Calling it as >>>>> >>>>> Array.prototype.slice.call(arguments, 2, arguments.length) >>>>> >>>>> works as expected (length 0), and it works properly <= r6095 either >>>>> way. >>>>> >>>>> Unfortunately, the obvious test case does not exhibit the broken >>>>> behaviour, so I guess there's some bad stuff happening. >>>>> >>>>> Any ideas on how to track down what's causing this? (I'm running via >>>>> d8). >>>>> >>>>> -- >>>>> v8-users mailing list >>>>> [email protected] >>>>> http://groups.google.com/group/v8-users >>>>> >>>> >>> >>> -- >>> v8-users mailing list >>> [email protected] >>> http://groups.google.com/group/v8-users >> > > -- > v8-users mailing list > [email protected] > http://groups.google.com/group/v8-users > -- v8-users mailing list [email protected] http://groups.google.com/group/v8-users
