[v8-dev] Re: Check failed: !IsFreeSpaceOrFillerMap(map) in 12.5.227.6

Fri, 07 Jun 2024 00:54:24 -0700 

Hi,

I cannot reproduce this crash locally (neither on 12.5.227.6 nor on 
tip-of-tree). I suspect what's going on here is that you are using 
GetHeapStatistics from a second thread which is not supported. This likely 
causes this particular CHECK failure. The fix for this would be to invoke 
GetHeapStatistics on thread 1 as well.

Cheers,
Dominik


On Friday, June 7, 2024 at 6:22:01 AM UTC+2 sjtuc...@gmail.com wrote:

> Hi V8 Dev,
>
> I'd like to report a potential bug in ConcurrentMarking::RunMajor().
>
> *Fatal Error*
> #
> # Fatal error in , line 0
> # Check failed: !IsFreeSpaceOrFillerMap(map).
> #
> #
> #
> #FailureMessage Object: 00000083D21FF440
> ==== C stack trace ===============================
>   CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA557BB+1514667]
>   (No symbol) [0x00007FFF4A77D497]
>   (No symbol) [0x00007FFF4A820BBA]
>   CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AB234A1+2357649]
>   CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AB3AB62+2453586]
>   CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA570A6+1521046]
>   CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA5A466+1534294]
>
> *Reproduce*
>
>    1. Set max heap size to 8096
>    2. Start thread 1 and execute the following JS code.
>    var a = [];
>    for (let i = 0; i < 100000000; i++) {
>      a.push({test:'test'});
>    }
>    3. Start thread 2 and call v8Isolate->GetHeapStatistics() periodically.
>    
> There is a high chance that V8 will crash with the fatal error posted 
> above.
>
> *Analysis*
> I reviewed the source code of 12.5.227.6 and found there is only one call 
> to IsFreeSpaceOrFillerMap() inside ConcurrentMarking::RunMajor() as follows.
> [image: 01.png]
>
> It seems this check is not always valid when that V8 isolate is busy 
> allocating memory. It used to be working well before this check was added.
>
> Please check this issue out.
>
> Thank you,
> Sam
>

-- 
-- 
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups 
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/v8-dev/ccc234dc-3c46-48b3-a514-e6d097d79d33n%40googlegroups.com.

Reply via email to