Yes, but I could not provide a reproduction case. :( At least not without approvals from managers, I guess.
Do you happen to know when the next stable patch release is planned (that includes the change)? I had to instruct the test teams to use --js-flags="--no-crankshaft" for now, which is not ideal... ☆*PhistucK* On Mon, Sep 26, 2016 at 9:42 AM, Jochen Eisinger <joc...@chromium.org> wrote: > Thanks for tracking this down. In general, if you're willing / able to > provide a repro case, we're happy to investigate suchs bugs ourselves, so > you don't have to go through the trouble of bisecting this.. > > On Sun, Sep 25, 2016 at 6:06 PM PhistucK <phist...@gmail.com> wrote: > >> After bisecting, the bug started at - >> https://chromium.googlesource.com/v8/v8/+log/c93d868f..d83c3f0e >> The bug stopped at - >> https://chromium.googlesource.com/v8/v8/+log/f9a47d47..a255aa83 >> >> This leaves me with https://chromium.googlesource.com/v8/v8/+/ >> 4dab7b5a1d6722002d47d0be2481cb65602a2451, which resolves a for-in >> optimization (Turbofan) bug >> <https://bugs.chromium.org/p/chromium/issues/detail?id=647887> and >> already merged to the 5.3 branch (but is not released to stable yet :(). >> >> Though, I wonder, why did it not always occur? jQuery.isPlainObject is a >> very hot function (at least in the code with which I am dealing here). Is >> it possible that it is not always optimized? >> (Also, that weird foo.hasOwnProperty(bar) === true versus >> Object.keys(foo).indexOf(bar) >> === -1 contradiction...) >> >> Hopefully, another stable patch will be released soon, as it may affect >> many jQuery versions, since that was the way to check whether an object is >> a plain object until some time ago. >> >> I apologize to everyone, as I experienced the bug when it started but >> dismissed it as a temporary canary issue that would resolve itself. Stupid >> me. I hope I learned my lesson (probably not, though :( - I would have >> reported it if it did not require days of investigations). >> >> >> ☆*PhistucK* >> >> On Sat, Sep 24, 2016 at 1:45 PM, PhistucK <phist...@gmail.com> wrote: >> >>> Thank you! Unfortunately, for everyone, it is getting clearer and >>> clearer that this is an optimization issue. The issue does not reproduce >>> with the --no-crankshaft flag. >>> >>> The code is calling something like - >>> jQuery.extend(/* deepCopy */ true, {string: 'something'}, {string, >>> 'something', instance: someConstructedInstance}) >>> (Where someConstructedInstance is a an instance of an object based on an >>> enhanced Backbone View Model, so it is not a plain object) >>> And sometimes (it used to occasionally appear, it now appears most often >>> than not), jQuery.isPlainObject returns true for the value of instance. >>> That jQuery function finishes with the following statements >>> <https://github.com/jquery/jquery/blob/d71f6a53927ad02d728503385d15539b73d21ac8/src/core.js#L472-L475> >>> - >>> var key; >>> for ( key in obj ) {} >>> >>> return key === undefined || core_hasOwn.call( obj, key ); >>> From my debugging, it sometimes fails the key === undefined >>> <https://github.com/jquery/jquery/blob/d71f6a53927ad02d728503385d15539b73d21ac8/src/core.js#L475> >>> check (if I add more logging code, it returns true - that does not make >>> sense) and it sometimes fails the core_hasOwn.call( obj, key ) >>> <https://github.com/jquery/jquery/blob/d71f6a53927ad02d728503385d15539b73d21ac8/src/core.js#L475> >>> check (which returns true for a key that is not an own property). When >>> this happen, Object.keys(obj).indexOf(key) returns -1. I verified that >>> the key is indeed not an own property. >>> (I am using jQuery 1.9.1 and cannot update it, but the code has >>> basically gone through simplification, not real bug fixes) >>> >>> I think it may have started since Chrome 52, I am not sure. It evidently >>> possibly became much, much worse in Chrome 53 (Windows 7, Intel Core i5, 32 >>> bit). >>> >>> I should report it, but I cannot disclose the code (it is a >>> several-megabyte package that includes - and uses in that stack - several >>> libraries like Knockout, Backbone, Underscore and more). Can someone >>> suggest how I can diagnose and debug this further (without a native code >>> debugger) in order to help you understand the exact issue (without showing >>> code :()? >>> >>> >>> ☆*PhistucK* >>> On Tuesday, September 20, 2016 at 3:54:19 PM UTC+3, Michael Hablich >>> wrote: >>> >>>> --no-crankshaft should do the trick. The name is misleading, it will >>>> also disable TurboFan. >>>> >>>> >>>> On Tuesday, September 20, 2016 at 1:51:51 PM UTC+2, PhistucK wrote: >>>>> >>>>> I have an issue where the code suddenly (since Chrome 53) gets caught >>>>> up in a cyclic recursion until it exceeds the stack size limit. >>>>> >>>>> Since the code is the same, I want to try and rule out engine >>>>> optimization issues. Is there a V8 flag for disabling all of the >>>>> optimizations? >>>>> >>>>> >>>>> ☆*PhistucK* >>>>> >>>> -- >>> -- >>> v8-users mailing list >>> v8-users@googlegroups.com >>> http://groups.google.com/group/v8-users >>> --- >>> >> You received this message because you are subscribed to a topic in the >>> Google Groups "v8-users" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/ >>> topic/v8-users/V3J9CwEv468/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> v8-users+unsubscr...@googlegroups.com. >> >> >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> -- >> v8-users mailing list >> v8-users@googlegroups.com >> http://groups.google.com/group/v8-users >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-users+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- > -- > v8-users mailing list > v8-users@googlegroups.com > http://groups.google.com/group/v8-users > --- > You received this message because you are subscribed to a topic in the > Google Groups "v8-users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/v8-users/V3J9CwEv468/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > v8-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.