[v8-dev] Issue 4359 in v8: Crash in v8::internal::MemoryChunk::IsEvacuationCandidate on arm64 in mjsunit/strong/load-proxy.js

[codesite-noreply via v8-dev]

Status: Assigned
Owner: mlippa...@chromium.org
CC: hpa...@chromium.org
Labels: Type-Bug Priority-Medium
New issue 4359 by yang...@chromium.org: Crash in  
v8::internal::MemoryChunk::IsEvacuationCandidate on arm64 in  
mjsunit/strong/load-proxy.js
https://code.google.com/p/v8/issues/detail?id=4359

Repro:

git co 899c4284d50603a6276a8bf5c988d30cdd19241

GYP_GENERATORS=ninja GYP_DEFINES="target_arch=x64 use_goma=1  
v8_enable_slow_dchecks=1 v8_optimized_debug=0 v8_target_arch=arm64" gclient  
sync

out/Debug/d8 --test --random-seed=818881265 --stress-opt --always-opt  
--nohard-abort --nodead-code-elimination --nofold-constants  
--enable-slow-asserts --debug-code --verify-heap --harmony-proxies  
--strong-mode test/mjsunit/mjsunit.js test/mjsunit/strong/load-proxy.js  
--gc-interval=500 --stress-compaction  
--concurrent-recompilation-queue-length=64  
--concurrent-recompilation-delay=500 --concurrent-recompilation


Stack trace:

============ Stress 1/2 ============
============ Stress 2/2 ============
[New Thread 0x7fde93e97700 (LWP 15203)]
[New Thread 0x7fde94698700 (LWP 15202)]
[New Thread 0x7fde94e99700 (LWP 15200)]
[New Thread 0x7fde9569a700 (LWP 15196)]

Program received signal SIGSEGV, Segmentation fault.
v8::internal::MemoryChunk::IsFlagSet (this=0x31100000, flag=10)  
at ../../src/heap/spaces.h:419
419         return (flags_ & (static_cast<uintptr_t>(1) << flag)) != 0;
(gdb) bt
#0  v8::internal::MemoryChunk::IsFlagSet (this=0x31100000, flag=10)  
at ../../src/heap/spaces.h:419
#1  0x0000000000657272 in v8::internal::MemoryChunk::IsEvacuationCandidate  
(this=0x31100000) at ../../src/heap/spaces.h:624
#2  0x000000000064601d in  
v8::internal::MarkCompactCollector::IsOnEvacuationCandidate  
(obj=0x31111a59) at ../../src/heap/mark-compact.h:649
#3  0x0000000000686e2f in  
v8::internal::VerifyEvacuationVisitor::VisitPointers (this=0x7ffd96467750,  
start=0x7ffd96467558, end=0x7ffd96467560)
    at ../../src/heap/mark-compact.cc:163
#4  0x000000000048197a in v8::internal::ObjectVisitor::VisitPointer  
(this=0x7ffd96467750, p=0x7ffd96467558) at ../../src/objects.h:10460
#5  0x000000000084a643 in v8::internal::ObjectVisitor::VisitEmbeddedPointer  
(this=0x7ffd96467750, rinfo=0x7ffd96467620) at ../../src/objects.cc:10689
#6  0x0000000000688242 in v8::internal::RelocInfo::Visit  
(this=0x7ffd96467620, isolate=0x296cbf0, visitor=0x7ffd96467750)
    at ../../src/arm64/assembler-arm64-inl.h:877
#7  0x000000000067b894 in v8::internal::Code::CodeIterateBody  
(this=0x7fde75608fe1, v=0x7ffd96467750)  
at ../../src/heap/objects-visiting-inl.h:829
#8  0x0000000000814edb in v8::internal::HeapObject::IterateBody  
(this=0x7fde75608fe1, type=v8::internal::CODE_TYPE, object_size=7040,  
v=0x7ffd96467750)
    at ../../src/objects.cc:1556
#9  0x0000000000814d39 in v8::internal::HeapObject::Iterate  
(this=0x7fde75608fe1, v=0x7ffd96467750) at ../../src/objects.cc:1476
#10 0x0000000000686d65 in v8::internal::VerifyEvacuation  
(page=0x7fde75600000) at ../../src/heap/mark-compact.cc:177
#11 0x0000000000686ad8 in v8::internal::VerifyEvacuation (heap=0x296cc10,  
space=0x299b8f0) at ../../src/heap/mark-compact.cc:210
#12 0x0000000000674afc in v8::internal::VerifyEvacuation (heap=0x296cc10)  
at ../../src/heap/mark-compact.cc:217
#13 0x00000000006747a1 in  
v8::internal::MarkCompactCollector::EnsureSweepingCompleted  
(this=0x2973718) at ../../src/heap/mark-compact.cc:545
#14 0x0000000000625fe4 in v8::internal::Heap::Verify (this=0x296cc10)  
at ../../src/heap/heap.cc:5136
#15 0x0000000000626e46 in v8::internal::Heap::GarbageCollectionEpilogue  
(this=0x296cc10) at ../../src/heap/heap.cc:634
#16 0x000000000062901d in v8::internal::Heap::CollectGarbage  
(this=0x296cc10, collector=v8::internal::MARK_COMPACTOR,
    gc_reason=0xfc4369 "allocation failure", collector_reason=0xfd0c6f "GC  
in old space forced by flags", gc_callback_flags=v8::kNoGCCallbackFlags)
    at ../../src/heap/heap.cc:946
#17 0x000000000046f8d3 in v8::internal::Heap::CollectGarbage  
(this=0x296cc10, space=v8::internal::NEW_SPACE,  
gc_reason=0xfc4369 "allocation failure",
    callbackFlags=v8::kNoGCCallbackFlags) at ../../src/heap/heap-inl.h:513
#18 0x00000000005d23a0 in  
v8::internal::Factory::New<v8::internal::JSMessageObject> (this=0x296cbf0,  
map=..., space=v8::internal::NEW_SPACE)
    at ../../src/factory.cc:19
#19 0x00000000005d20b4 in v8::internal::Factory::NewJSMessageObject  
(this=0x296cbf0, message=v8::internal::MessageTemplate::kUncaughtException,
    argument=..., start_position=-1, end_position=0, script=...,  
stack_frames=...) at ../../src/factory.cc:2192
#20 0x00000000007e930f in v8::internal::MessageHandler::MakeMessageObject  
(isolate=0x296cbf0,  
message=v8::internal::MessageTemplate::kUncaughtException,
    loc=0x7ffd96467ed0, argument=..., stack_frames=...)  
at ../../src/messages.cc:55
#21 0x0000000000785171 in v8::internal::Isolate::CreateMessage  
(this=0x296cbf0, exception=..., location=0x7ffd96467ed0)  
at ../../src/isolate.cc:1397
#22 0x0000000000784256 in v8::internal::Isolate::Throw (this=0x296cbf0,  
exception=0x45008a39, location=0x7ffd96467ed0) at ../../src/isolate.cc:1014
#23 0x0000000000485893 in  
v8::internal::Isolate::Throw<v8::internal::Object> (this=0x296cbf0,  
exception=..., location=0x0) at ../../src/isolate.h:738
#24 0x000000000080beef in v8::internal::Object::ReadAbsentProperty  
(it=0x7ffd96468098, language_mode=v8::internal::LANGUAGE_END)  
at ../../src/objects.cc:3347
#25 0x000000000080ae52 in v8::internal::Object::GetProperty  
(it=0x7ffd96468098, language_mode=v8::internal::LANGUAGE_END)  
at ../../src/objects.cc:179
#26 0x000000000044bbc6 in v8::internal::Object::GetElement  
(isolate=0x296cbf0, object=..., index=1,  
language_mode=v8::internal::LANGUAGE_END)
    at ../../src/objects-inl.h:1141
#27 0x00000000008e4150 in v8::internal::Runtime::GetObjectProperty  
(isolate=0x296cbf0, object=..., key=...,  
language_mode=v8::internal::LANGUAGE_END)
    at ../../src/runtime/runtime-object.cc:44
#28 0x0000000000769e55 in v8::internal::KeyedLoadIC::Load  
(this=0x7ffd96468378, object=..., key=...) at ../../src/ic/ic.cc:1411
#29 0x00000000007709f0 in v8::internal::__RT_impl_Runtime_KeyedLoadIC_Miss  
(args=..., isolate=0x296cbf0) at ../../src/ic/ic.cc:2406
#30 0x0000000000770822 in v8::internal::Runtime_KeyedLoadIC_Miss  
(args_length=4, args_object=0x7fde936961a8, isolate=0x296cbf0)  
at ../../src/ic/ic.cc:2392
#31 0x0000000000a526d5 in v8::internal::Simulator::DoRuntimeCall  
(this=0x29999d0, instr=0x29b2e58) at ../../src/arm64/simulator-arm64.cc:602
#32 0x0000000000a62a42 in v8::internal::Simulator::VisitException  
(this=0x29999d0, instr=0x29b2e58) at ../../src/arm64/simulator-arm64.cc:3691
#33 0x0000000000a65532 in  
v8::internal::Decoder<v8::internal::Simulator>::DecodeBranchSystemException  
(this=0x29999d0, instr=0x29b2e58)
    at ../../src/arm64/decoder-arm64-inl.h:156
#34 0x0000000000a646e7 in  
v8::internal::Decoder<v8::internal::Simulator>::Decode (this=0x29999d0,  
instr=0x29b2e58) at ../../src/arm64/decoder-arm64-inl.h:62
#35 0x0000000000a521db in v8::internal::Simulator::ExecuteInstruction  
(this=0x29999d0) at ../../src/arm64/simulator-arm64.h:310
#36 0x0000000000a5213d in v8::internal::Simulator::Run (this=0x29999d0)  
at ../../src/arm64/simulator-arm64.cc:436
#37 0x0000000000a50b79 in v8::internal::Simulator::CheckPCSComplianceAndRun  
(this=0x29999d0) at ../../src/arm64/simulator-arm64.cc:248
#38 0x0000000000a4fe95 in v8::internal::Simulator::CallVoid  
(this=0x29999d0, entry=0x7fde73915e00 "?", args=0x7ffd96468ce0)
    at ../../src/arm64/simulator-arm64.cc:162
#39 0x0000000000a51097 in v8::internal::Simulator::CallInt64  
(this=0x29999d0, entry=0x7fde73915e00 "?", args=0x7ffd96468ce0)
    at ../../src/arm64/simulator-arm64.cc:169
#40 0x0000000000a51217 in v8::internal::Simulator::CallJS (this=0x29999d0,  
entry=0x7fde73915e00 "?", function_entry=0x7fde73936220 "\237\203",
    func=0x42207ad9, revc=0x5d79fa69, argc=0, argv=0x0)  
at ../../src/arm64/simulator-arm64.cc:194
#41 0x00000000005a7d93 in v8::internal::Invoke (is_construct=false,  
function=..., receiver=..., argc=0, args=0x0) at ../../src/execution.cc:128
#42 0x00000000005a7518 in v8::internal::Execution::Call (isolate=0x296cbf0,  
callable=..., receiver=..., argc=0, argv=0x0, convert_receiver=false)
    at ../../src/execution.cc:179
#43 0x000000000043a848 in v8::Script::Run (this=0x29b8d50, context=...)  
at ../../src/api.cc:1663
#44 0x0000000000408852 in v8::Shell::ExecuteString (isolate=0x296cbf0,  
source=..., name=..., print_result=false, report_exceptions=true,
    source_type=v8::Shell::SCRIPT) at ../../src/d8.cc:329
#45 0x00000000004122b4 in v8::SourceGroup::Execute (this=0x296a018,  
isolate=0x296cbf0) at ../../src/d8.cc:1470
#46 0x0000000000415049 in v8::Shell::RunMain (isolate=0x296cbf0, argc=20,  
argv=0x7ffd96469848, last_run=true) at ../../src/d8.cc:1979
#47 0x00000000004160df in v8::Shell::Main (argc=20, argv=0x7ffd96469848)  
at ../../src/d8.cc:2419
#48 0x000000000041c922 in main (argc=20, argv=0x7ffd96469848)  
at ../../src/d8.cc:2476


--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.