ToString(Object) sometimes returns [object Null] #12411
Comments
mscdex
added
v7.x
v8 engine
|
I don't think it's out of the ordinary, seeing as how It could be a bug though whose fix didn't get backported to 5.5 though. |
|
This is not about what happens when you stringify Also see in the linked v8 issue where an array is stringified, but |
|
The V8 in v7.x has the same bug. I'll prepare a back-port. |
|
This has been troubling us for months! So happy the issue has been found. Getting the fix out in a patch release soon would be great for us. Thanks. |
|
@holm I would assume we do another v7.x patch release next week, as usual. |
|
Great, thanks a lot for the quick work (as usual)! |
This is a chery-pick if you consider reducing the context to -C2
a cherry-pick; WordIsSmi has been renamed to TaggedIsSmi upstream.
Original commit message:
[builtins] Fix pointer comparison in ToString builtin.
This fixes the bogus {Word32Equal} comparison in the ToString
builtin implementing Object.prototype.toString to be a pointer-size
{WordEqual} comparison instead. Comparing just the lower half-word
is insufficient on 64-bit architectures.
[email protected]
TEST=mjsunit/regress/regress-crbug-664506
BUG=chromium:664506
Review-Url: https://codereview.chromium.org/2496043003
Cr-Commit-Position: refs/heads/master@{nodejs#40963}
Fixes: nodejs#12411
PR-URL: nodejs#12412
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Sakthipriyan Vairamani <[email protected]>
|
Fixed in f882f47, should be in the next v7.x release. |
|
Any idea when the next v7.x release might be? This bug is hurting us quite a bit, and a new release would be wonderful. Thanks as always. |
|
Next Tuesday, I think. I'm not on the release team though. |
|
Ben is correct. I have a release almost ready but decided to hold off due to #12663 |
This is a chery-pick if you consider reducing the context to -C2
a cherry-pick; WordIsSmi has been renamed to TaggedIsSmi upstream.
Original commit message:
[builtins] Fix pointer comparison in ToString builtin.
This fixes the bogus {Word32Equal} comparison in the ToString
builtin implementing Object.prototype.toString to be a pointer-size
{WordEqual} comparison instead. Comparing just the lower half-word
is insufficient on 64-bit architectures.
[email protected]
TEST=mjsunit/regress/regress-crbug-664506
BUG=chromium:664506
Review-Url: https://codereview.chromium.org/2496043003
Cr-Commit-Position: refs/heads/master@{#40963}
Fixes: #12411
PR-URL: #12412
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Sakthipriyan Vairamani <[email protected]>
Linux web 4.4.0-18-generic #34~14.04.1-Ubuntu SMP Thu Apr 7 18:31:54 UTC 2016 x86_64 x86_64 x86_64 GNU/LinuxI think we're encountering this bug in our staging and prod environments under heavy load. It does not occur in node v6, but only v7.
I can't reproduce this in the node console (with the v8 repro), but it seems like the v8 code is the same in node.
Is it possible to somehow verify this also applies to node and backport that v8 fix into node v7?
The text was updated successfully, but these errors were encountered: