This is excellent. Thank you very much for taking the time to answer On Wed, Sep 6, 2017 at 3:56 PM, Toon Verwaest <verwa...@chromium.org> wrote:
> The article is a bit confused about multiple things within V8, so I > wouldn't rely on it as a source to correctly understand how V8 works in > detail. E.g., also the first sentence explaining what "stable maps" are is > plainly wrong. Stable maps are maps from which we've never seen an instance > transition away. > > I don't remember if it's correct but it makes think that the bug was about > an optimization allowing us not to recheck the map of an object since it > was marked stable, by instead adding a "stability dependency" on the map. > If any object ever transitions away from the stable map the code should be > deoptimized. I believe this was broken for elements transitions since we > find those transitions in special way; and we had forgotten to mark the > source map of the transition unstable when the transition target map > already existed. Since optimized code wasn't notified when the object shape > changed (and its map was swapped), it kept on assuming that the elements > kind was the previous one. > > On Wed, Sep 6, 2017 at 3:41 AM Jakob Kummerow <jkumme...@chromium.org> > wrote: > >> Well, as you said, that article is talking about a bug, so the answer to >> the question "why did that happen?" is "because there was a bug". >> >> Elements kind transitions are regular map transitions (the article seems >> to be a bit confused about that), and do cause inline cache misses (and >> other map check failures) just like every other map transition. The bug (as >> far as I understand) had to do with compiler optimizations, not inline >> cache misses. >> >> On Tue, Sep 5, 2017 at 4:30 PM, cyril <hit.liushenr...@gmail.com> wrote: >> >>> I have read an article about V8's bug , the author wrote >>> >>>> What happens is this: First, a function is reduced in a way that makes >>>> it change the elements kind of a stable map. Next, a second function is >>>> reduced in a way that simply stores / loads a property in the same stable >>>> map. Now, an object of that map is created. The first function is called >>>> with that object as the argument, and the elements kind is changed. >>>> The second function is called, and the inline cache does not miss >>>> (since, remember, an elements kind transition is not a regular transition >>>> into a different map type that would cause the cache to miss). >>> >>> So How to understand this sentence?* (since, remember, an elements kind >>> transition is not a regular transition into a different map type that would >>> cause the cache to miss).* >>> >>> the link : https://blogs.securiteam.com/index.php/archives/3379 >>> >>> Jakob Kummerow wrote: >>>> >>>> What cache are you talking about? >>>> >>>> Different elements kinds do cause inline cache misses. >>>> >>>> On Tue, Sep 5, 2017 at 3:08 AM, cyril <hit.liu...@gmail.com> wrote: >>>> >>>>> Hi all, >>>>> >>>>> Why element kind transition can't cause the cache to miss? >>>>> >>>>> >>>>> -- >>>>> -- >>>>> v8-users mailing list >>>>> v8-u...@googlegroups.com >>>>> http://groups.google.com/group/v8-users >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "v8-users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to v8-users+u...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> -- >>> -- >>> v8-users mailing list >>> v8-users@googlegroups.com >>> http://groups.google.com/group/v8-users >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "v8-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to v8-users+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> -- >> v8-users mailing list >> v8-users@googlegroups.com >> http://groups.google.com/group/v8-users >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-users+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- > > Toon Verwaest | Software Engineer, V8 | Google Germany GmbH | Erika-Mann > Str. 33, 80636 München > > Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft: > Hamburg | Geschäftsführer: Paul Manicle, Halimah DeLaine Prado > > -- > -- > v8-users mailing list > v8-users@googlegroups.com > http://groups.google.com/group/v8-users > --- > You received this message because you are subscribed to a topic in the > Google Groups "v8-users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/to > pic/v8-users/WmtFHKB7-rg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > v8-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
