On Thu, Dec 26, 2019 at 2:53 PM Jeroen Ooms <[email protected]> wrote: > > On Thu, Dec 26, 2019 at 10:36 AM Ben Noordhuis <[email protected]> wrote: > > > > On Mon, Dec 23, 2019 at 11:42 PM Jeroen Ooms <[email protected]> wrote: > > > > > > Hi! > > > > > > I maintain v8 bindings for the R programming language. As of recently (I > > > think 7.9) we started getting segfaults at calls to IsUndefined() and > > > IsNull(). The problem has gotten more prevalent in 8.1. We're encountered > > > this both on MacOS and Arch Linux. > > > > > > To produce a minimal example, simply take the official hello-world.cc and > > > add something like: > > > > > > if(result->IsUndefined()){ > > > printf("value is undefined!"); > > > } > > > > > > Attached a full sample program. Same problem happens for IsNull() and > > > IsNullOrUndefined(). It does not crash when we compile with > > > -DV8_ENABLE_CHECKS which enables an alternative implementation of > > > IsUndefined. > > > > Your test case looks okay to me. With what specific version(s) are you > > seeing this, does it also reproduce with a debug build of V8 and what > > does `result` contain when you inspect it in gdb or lldb? What does > > the backtrace look like in the debug build? > > Thanks. I'm working from the master branch now (but I think the bug was > introduced around 7.9). It crashes here: > > Process 25330 stopped > * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS > (code=1, address=0x708040ef8) > frame #0: 0x0000000100001145 a.out`main [inlined] > v8::internal::Internals::GetInstanceType(obj=47996394545225) at > v8-internal.h:233:12 > 230 V8_INLINE static int GetInstanceType(const internal::Address obj) { > 231 typedef internal::Address A; > 232 A map = ReadTaggedPointerField(obj, kHeapObjectMapOffset); > -> 233 return ReadRawField<uint16_t>(map, kMapInstanceTypeOffset); > 234 } > 235 > 236 V8_INLINE static int GetOddballKind(const internal::Address obj) { > Target 0: (a.out) stopped. > > (lldb) bt > * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS > (code=1, address=0x708040ef8) > * frame #0: 0x0000000100001145 a.out`main [inlined] > v8::internal::Internals::GetInstanceType(obj=47996394545225) at > v8-internal.h:233:12 > frame #1: 0x00000001000010e4 a.out`main [inlined] > v8::Value::QuickIsUndefined(this=0x0000000104857860) const at v8.h:11310 > frame #2: 0x00000001000010a0 a.out`main [inlined] > v8::Value::IsUndefined(this=0x0000000104857860) const at v8.h:11301 > frame #3: 0x00000001000010a0 a.out`main(argc=1, argv=0x00007ffeefbff988) > at hello-crash.cc:53 > frame #4: 0x00007fff667df7fd libdyld.dylib`start + 1 > frame #5: 0x00007fff667df7fd libdyld.dylib`start + 1
obj=47996394545225 in frame #0 is 0x2ba7080c2049, which looks like a valid heap object (heap objects have bit 0 set; if it's clear, it's a tagged integer.) It crashes when trying to read the heap object's map (a.k.a. hidden class), the meta-object that describes its "shape." Is it possible that you're compiling your test program with a different v8.h than the one V8 itself was built with? My first hunch is that the offsets into the object header somehow don't match up. How are you building V8 and how are you compiling and linking the test program? -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAHQurc-oord3oSnMLk%2B7-hfA0aphns2p6uPPtECdL2PHU932_g%40mail.gmail.com.
