On Tuesday, April 8, 2025 at 2:58:37 AM UTC-4 *oli wrote: Hi Dan,
thanks for reporting the issue here. Please refer to this comment https://github.com/v8/v8/blob/main/src/sandbox/js-dispatch-table.h#L110 to understand how the JSDispatch table uses an ad-hoc compression of this particular pointer to recycle 16 of its bits for other purposes. Without digging in the code myself I cannot help you with a comprehensive list of what we assume about pointers in general. I see nothing in the ascii diagram shown here to indicate the upper 16 bits are used as a "in free list" tag. Only here: https://github.com/v8/v8/blob/9496dfe5ee0b79684e202514d37663afcb5f49b5/src/sandbox/js-dispatch-table.h#L81 is the upper-16-bits even hinted at, and to a new reader, it is opaque at best. As I'll mention in the gerrit below, I have a smaller fix (in the context of Node) that focusses on this, but I do wonder if, upon turning a free-list-entry into a real pointer, the proper upper-bits get recovered. AIX ran into the same issue. There is currently a CL in review to address it in their case: https://chromium-review.googlesource.com/c/v8/v8/+/6320599 . Maybe you can try that one and comment if it works for illumos. If it doesn't it would be good if you can directly work with them on that CL to find a solution that works for both OSs. I'm looking at it now, and will have things to say, thank you! Dan -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/v8-dev/3dd1c6cb-b06d-4de7-952e-e6b612506529n%40googlegroups.com.
