Strange bug ever in V8
Recently, I find out about a strange bug in V8. Everyone is discussing it in Twitter, Facebook, Gitter and other social networks. So, I’m going to explain a little bit about it.
To my knowledge, it happens in the latest stable version of Google Chrome (my version is 51.0.2704.103). You can check it with the following snippet of code:
function foo() {
return typeof null === 'undefined';
}for (var i = 0; i < 1000; i++) {
console.log(foo());
}
This leads to the following result:
What happened?
Well, I’ve found a commit that fixes this issue. Here is the link, so you can look yourself into it.
According to commit description, issue was in a canonicalization. What is that?
In computer science, canonicalization (sometimes standardization or normalization) is a process for converting data that has more than one possible representation into a “standard”, “normal”, or canonical form. This can be done to compare different representations for equivalence, to count the number of distinct data structures, to improve the efficiency of various algorithms by eliminating repeated calculations, or to make it possible to impose a meaningful sorting order.
In our case, the issue was in strings canonicalization.
Let me give you a brief example of what canonicalization is via booleans. Let’s say, in JavaScript, boolean can be written as true, false, 1, 0, empty string, etc… But, in canonical form it can be only true or false. That is a canonical form of boolean. The only one form of representing the data, the correct one.
That’s where this bug was. Crankshaft compiler in V8 does it a little wrong, when optimizing your code. That’s why first iterations were right in our loop, until Crankshaft optimized it.
Share your thoughts, will be glad to discuss.
UPD: Thanks to Vyacheslav Egorov, we have a nice explanation of what happened:
