The article is a bit confused about multiple things within V8, so I
wouldn't rely on it as a source to correctly understand how V8 works in
detail. E.g., also the first sentence explaining what "stable maps" are is
plainly wrong. Stable maps are maps from which we've never seen an instance
transition away.
I don't remember if it's correct but it makes think that the bug was about
an optimization allowing us not to recheck the map of an object since it
was marked stable, by instead adding a "stability dependency" on the map.
If any object ever transitions away from the stable map the code should be
deoptimized. I believe this was broken for elements transitions since we
find those transitions in special way; and we had forgotten to mark the
source map of the transition unstable when the transition target map
already existed. Since optimized code wasn't notified when the object shape
changed (and its map was swapped), it kept on assuming that the elements
kind was the previous one.
On Wed, Sep 6, 2017 at 3:41 AM Jakob Kummerow <jkumme...@chromium.org>
wrote:
> Well, as you said, that article is talking about a bug, so the answer to
> the question "why did that happen?" is "because there was a bug".
>
> Elements kind transitions are regular map transitions (the article seems
> to be a bit confused about that), and do cause inline cache misses (and
> other map check failures) just like every other map transition. The bug (as
> far as I understand) had to do with compiler optimizations, not inline
> cache misses.
>
> On Tue, Sep 5, 2017 at 4:30 PM, cyril <hit.liushenr...@gmail.com> wrote:
>
>> I have read an article about V8's bug , the author wrote
>>
>>> What happens is this: First, a function is reduced in a way that makes
>>> it change the elements kind of a stable map. Next, a second function is
>>> reduced in a way that simply stores / loads a property in the same stable
>>> map. Now, an object of that map is created. The first function is called
>>> with that object as the argument, and the elements kind is changed.
>>> The second function is called, and the inline cache does not miss
>>> (since, remember, an elements kind transition is not a regular transition
>>> into a different map type that would cause the cache to miss).
>>
>> So How to understand this sentence?* (since, remember, an elements kind
>> transition is not a regular transition into a different map type that would
>> cause the cache to miss).*
>>
>> the link : https://blogs.securiteam.com/index.php/archives/3379
>>
>> Jakob Kummerow wrote:
>>>
>>> What cache are you talking about?
>>>
>>> Different elements kinds do cause inline cache misses.
>>>
>>> On Tue, Sep 5, 2017 at 3:08 AM, cyril <hit.liu...@gmail.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Why element kind transition can't cause the cache to miss?
>>>>
>>>>
>>>> --
>>>> --
>>>> v8-users mailing list
>>>> v8-u...@googlegroups.com
>>>> http://groups.google.com/group/v8-users
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "v8-users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to v8-users+u...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>> --
>> v8-users mailing list
>> v8-users@googlegroups.com
>> http://groups.google.com/group/v8-users
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "v8-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to v8-users+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> --
> v8-users mailing list
> v8-users@googlegroups.com
> http://groups.google.com/group/v8-users
> ---
> You received this message because you are subscribed to the Google Groups
> "v8-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to v8-users+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
Toon Verwaest | Software Engineer, V8 | Google Germany GmbH | Erika-Mann
Str. 33, 80636 München
Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft:
Hamburg | Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
--
--
v8-users mailing list
v8-users@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups
"v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
