Hi V8 Dev,
I'd like to report a potential bug in ConcurrentMarking::RunMajor().
*Fatal Error*
#
# Fatal error in , line 0
# Check failed: !IsFreeSpaceOrFillerMap(map).
#
#
#
#FailureMessage Object: 00000083D21FF440
==== C stack trace ===============================
CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA557BB+1514667]
(No symbol) [0x00007FFF4A77D497]
(No symbol) [0x00007FFF4A820BBA]
CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AB234A1+2357649]
CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AB3AB62+2453586]
CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA570A6+1521046]
CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA5A466+1534294]
*Reproduce*
1. Set max heap size to 8096
2. Start thread 1 and execute the following JS code.
var a = [];
for (let i = 0; i < 100000000; i++) {
a.push({test:'test'});
}
3. Start thread 2 and call v8Isolate->GetHeapStatistics() periodically.
There is a high chance that V8 will crash with the fatal error posted above.
*Analysis*
I reviewed the source code of 12.5.227.6 and found there is only one call
to IsFreeSpaceOrFillerMap() inside ConcurrentMarking::RunMajor() as follows.
[image: 01.png]
It seems this check is not always valid when that V8 isolate is busy
allocating memory. It used to be working well before this check was added.
Please check this issue out.
Thank you,
Sam
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/v8-dev/73909b1a-6ab5-4014-bdf2-9b2be2a253bdn%40googlegroups.com.
