I have read an article about V8's bug , the author wrote > What happens is this: First, a function is reduced in a way that makes it > change the elements kind of a stable map. Next, a second function is > reduced in a way that simply stores / loads a property in the same stable > map. Now, an object of that map is created. The first function is called > with that object as the argument, and the elements kind is changed. > The second function is called, and the inline cache does not miss (since, > remember, an elements kind transition is not a regular transition into a > different map type that would cause the cache to miss).
So How to understand this sentence?* (since, remember, an elements kind transition is not a regular transition into a different map type that would cause the cache to miss).* the link : https://blogs.securiteam.com/index.php/archives/3379 Jakob Kummerow wrote: > > What cache are you talking about? > > Different elements kinds do cause inline cache misses. > > On Tue, Sep 5, 2017 at 3:08 AM, cyril <hit.liu...@gmail.com <javascript:>> > wrote: > >> Hi all, >> >> Why element kind transition can't cause the cache to miss? >> >> >> -- >> -- >> v8-users mailing list >> v8-u...@googlegroups.com <javascript:> >> http://groups.google.com/group/v8-users >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-users+u...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
