Comment #4 on issue 30790 by whe...@google.com: Crash: v8::internal::Map::UpdateCodeCache http://code.google.com/p/chromium/issues/detail?id=30790
The crash is reproducible, and is connected to the earlier crash fixed in V8 R3440. I reproduced the recent example, and there is an example of a object having its map corrupted. I didn't think there could be a GC between these, but here is what is happening: In stub-cache.cc, ComputeLoadCallback: Object* code = receiver->map()->FindInCodeCache(name, flags); if (code->IsUndefined()) { LoadStubCompiler compiler; code = compiler.CompileLoadCallback(name, receiver, holder, callback); if (code->IsFailure()) return code; LOG(CodeCreateEvent(Logger::LOAD_IC_TAG, Code::cast(code), name)); Object* result = receiver->map()->UpdateCodeCache(name, Code::cast(code)) The call to receiver->map()->FindInCodeCache() succeeds The call to receiver->map()->UpdateCodeCache() fails The value of the pointer receiver is the same in both calls. The map at that location is good in the first call, and has been replaced by 0x04000000 in the second one. So I though CompileLoadCallback could not do a GC, but of course, it can, can't it. receiver is in a register, but also on the stack (an argument to this call), but it is not a handle, and the code creating the handle for receiver in LoadIC::UpdateCaches: if (!object->IsJSObject()) return; Handle<JSObject> receiver = Handle<JSObject>::cast(object); is optimized away, and no receiver handle variable is created. So the problem may be that receiver is not pointed to by anything? Or receiver is relocated, and we had a direct pointer in a register, that wasn't modified, so we don't get the pointer updated. Receiver is in ebp, and it is assumed to be caller-saved, and retain its value across the compilation. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs