and the value of "this" when you hit the FATAL() On Tue, Apr 12, 2016 at 7:33 PM Jochen Eisinger <joc...@chromium.org> wrote:
> Could you post a stack trace that leads to the FATAL()? > > On Tue, Apr 12, 2016 at 7:27 PM Ben Noordhuis <i...@bnoordhuis.nl> wrote: > >> On Tue, Apr 12, 2016 at 7:11 PM, <benjamin.pas...@gmail.com> wrote: >> > Hi, >> > >> > we (Microsoft VS Code team) are tracking down a very weird native crash >> in >> > our use of node.js (5.10.0, V8 46) that only ever shows up since we >> updated >> > from node.js 4.x (V8 45). It seems that changes (around the Garbace >> > Collector?) in V8 46 have an impact to the crash. >> > >> > Specifically, we are using the node-weak module >> > (https://github.com/TooTallNate/node-weak) to be able to get weak >> references >> > onto JavaScript objects. This used to work relatively good in node.js >> 4.x, >> > but with node.js 5.x we suddenly get the entire node.js program to >> terminate >> > with a fatal crash. >> > >> > Today we were finally able to track the location of where the crash >> > originates and it seems to happen when our application simply calls >> into a >> > property of the object that is weakly referenced. This call at one point >> > reaches the following assertion: >> > >> > void Object::VerifyApiCallResultType() { >> > #if DEBUG >> > if (!(IsSmi() || IsString() || IsSymbol() || IsSpecObject() || >> > IsHeapNumber() || IsSimd128Value() || IsUndefined() || IsTrue() >> || >> > IsFalse() || IsNull())) { >> > FATAL("API call returned invalid object"); >> > } >> > #endif // DEBUG >> > } >> > >> > >> > The process terminates from the FATAL call, as none of the previous >> checks >> > in this method hold. >> > >> > >> > Now, the interesting question is: How would it be possible to have a JS >> > object where calling properties on it would fail in such a fatal way? It >> > seems to us that the object we are calling a property on is a pointer >> to a >> > location in memory where no V8 object exists anymore. It almost seems >> that >> > the object was garbage collected (or moved to another address?) without >> the >> > JS side (or more specifically the node-weak side) getting to know. >> > >> > >> > Since this only reproduces with using node-weak, it seems very likely >> that >> > there is an issue with either node-weak or NAN. In fact, node-weak is >> > calling into SetWeak() >> > ( >> https://github.com/TooTallNate/node-weak/blob/master/src/weakref.cc#L174) >> > and relies on the fact that the callback passed in is triggered and >> maybe >> > this callback is not triggered anymore in a sync fashion but rather >> async? >> > >> > >> > I would appreciate some pointers if there is something that could have >> > probably changed in V8 46 that could have an impact on this. >> >> If you have a simple test case (stress on 'simple'), I'll have a look. >> >> -- >> -- >> v8-dev mailing list >> v8-dev@googlegroups.com >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to v8-dev+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
