[chromium-bugs] Re: Issue 30790 in chromium: Crash: v8::internal::Map::UpdateCodeCache

Fri, 18 Dec 2009 21:42:12 -0800 

Comment #4 on issue 30790 by whe...@google.com: Crash:  
v8::internal::Map::UpdateCodeCache
http://code.google.com/p/chromium/issues/detail?id=30790

The crash is reproducible, and is connected to the earlier crash fixed in  
V8 R3440.


I reproduced the recent example, and there is an example of a object having  
its map
corrupted.
I didn't think there could be a GC between these, but here is what is  
happening:

In stub-cache.cc, ComputeLoadCallback:

Object* code = receiver->map()->FindInCodeCache(name, flags);
   if (code->IsUndefined()) {
     LoadStubCompiler compiler;
     code = compiler.CompileLoadCallback(name, receiver, holder, callback);
     if (code->IsFailure()) return code;
     LOG(CodeCreateEvent(Logger::LOAD_IC_TAG, Code::cast(code), name));
     Object* result = receiver->map()->UpdateCodeCache(name,  
Code::cast(code))

The call to receiver->map()->FindInCodeCache() succeeds
The call to receiver->map()->UpdateCodeCache() fails
The value of the pointer receiver is the same in both calls.
The map at that location is good in the first call, and has been replaced by
0x04000000 in the second one.

So I though CompileLoadCallback could not do a GC, but of course, it can,  
can't it.
receiver is in a register, but also on the stack (an argument to this  
call), but it
is not a handle, and the code creating the handle for receiver in
LoadIC::UpdateCaches:
   if (!object->IsJSObject()) return;
   Handle<JSObject> receiver = Handle<JSObject>::cast(object);

is optimized away, and no receiver handle variable is created.
So the problem may be that receiver is not pointed to by anything?
Or receiver is relocated, and we had a direct pointer in a register, that  
wasn't
modified, so we don't get the pointer updated.

Receiver is in ebp, and it is assumed to be caller-saved, and retain its  
value across
the compilation.

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

-- 
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs

Reply via email to