Hi, We develop Chromium-based product and frequently receive renderer crash dumps from our users with segfault in function v8::internal::SlotSet::Iterate(). We had this crash in previous versions but it become very frequent in version based on Chromium 66.
Crash occurs here: https://cs.chromium.org/chromium/src/v8/src/heap/slot-set.h?g=0&l=206 Crashed thread stack: https://pastebin.com/raw/ZDNCfsiX Main thread stack: https://pastebin.com/raw/G6N40V7w Also i have done some disassembly and have extracted V8 heap page fragments from some of our crash dumps: https://pastebin.com/raw/TdxQEwLB EBX points to slot with broken pointer (enclosed by parenthesis in memory dumps) and crashes were caused by access to memory pointed by this pointer. Unfortunately, we can't reproduce this crash locally. Can anyone take a brief look at this heap fragments? Maybe we can extract some additional information that can help to understand what's going wrong? Or maybe there is already known crash with this signature? Thanks, Alexander Timokhin, Yandex LLC. -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
