The article is a bit confused about multiple things within V8, so I wouldn't rely on it as a source to correctly understand how V8 works in detail. E.g., also the first sentence explaining what "stable maps" are is plainly wrong. Stable maps are maps from which we've never seen an instance transition away.
I don't remember if it's correct but it makes think that the bug was about an optimization allowing us not to recheck the map of an object since it was marked stable, by instead adding a "stability dependency" on the map. If any object ever transitions away from the stable map the code should be deoptimized. I believe this was broken for elements transitions since we find those transitions in special way; and we had forgotten to mark the source map of the transition unstable when the transition target map already existed. Since optimized code wasn't notified when the object shape changed (and its map was swapped), it kept on assuming that the elements kind was the previous one. On Wed, Sep 6, 2017 at 3:41 AM Jakob Kummerow <jkumme...@chromium.org> wrote: > Well, as you said, that article is talking about a bug, so the answer to > the question "why did that happen?" is "because there was a bug". > > Elements kind transitions are regular map transitions (the article seems > to be a bit confused about that), and do cause inline cache misses (and > other map check failures) just like every other map transition. The bug (as > far as I understand) had to do with compiler optimizations, not inline > cache misses. > > On Tue, Sep 5, 2017 at 4:30 PM, cyril <hit.liushenr...@gmail.com> wrote: > >> I have read an article about V8's bug , the author wrote >> >>> What happens is this: First, a function is reduced in a way that makes >>> it change the elements kind of a stable map. Next, a second function is >>> reduced in a way that simply stores / loads a property in the same stable >>> map. Now, an object of that map is created. The first function is called >>> with that object as the argument, and the elements kind is changed. >>> The second function is called, and the inline cache does not miss >>> (since, remember, an elements kind transition is not a regular transition >>> into a different map type that would cause the cache to miss). >> >> So How to understand this sentence?* (since, remember, an elements kind >> transition is not a regular transition into a different map type that would >> cause the cache to miss).* >> >> the link : https://blogs.securiteam.com/index.php/archives/3379 >> >> Jakob Kummerow wrote: >>> >>> What cache are you talking about? >>> >>> Different elements kinds do cause inline cache misses. >>> >>> On Tue, Sep 5, 2017 at 3:08 AM, cyril <hit.liu...@gmail.com> wrote: >>> >>>> Hi all, >>>> >>>> Why element kind transition can't cause the cache to miss? >>>> >>>> >>>> -- >>>> -- >>>> v8-users mailing list >>>> v8-u...@googlegroups.com >>>> http://groups.google.com/group/v8-users >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "v8-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to v8-users+u...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> -- >> v8-users mailing list >> v8-users@googlegroups.com >> http://groups.google.com/group/v8-users >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-users+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > -- > v8-users mailing list > v8-users@googlegroups.com > http://groups.google.com/group/v8-users > --- > You received this message because you are subscribed to the Google Groups > "v8-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to v8-users+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Toon Verwaest | Software Engineer, V8 | Google Germany GmbH | Erika-Mann Str. 33, 80636 München Registergericht und -nummer: Hamburg, HRB 86891 | Sitz der Gesellschaft: Hamburg | Geschäftsführer: Paul Manicle, Halimah DeLaine Prado -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
