Status: Accepted
Owner: erik.corry
Labels: Type-Bug Priority-Medium
New issue 2003 by erik.corry: Crash in PrepareElementsForSort
http://code.google.com/p/v8/issues/detail?id=2003
There is a reasonably frequent crash in Chrome where PrepareElementsForSort
falls over an element in the array that is on an unmapped page.
The elements array is a regular fixed array, that contains some holes, but
no Smis. The IsTheHole() test looks up the map, which fails when the
object is on an unmapped page. The unmapped page is not part of new
space. The elements in the fixed array do not appear to be heap numbers
(at least not exclusively).
This is seen on both Mac and Windows.
It starts on 18.0.1025.45 where it is seen infrequently. It is frequent
starting with the next version, 18.0.1025.54 and since then. It is never
seen on the 18 branch in 18.0.1025.39 or earlier.
On the 17 branch it is very infrequent and only appears once the 17 branch
is released to stable, probably just bad hardware. Some of the stack
signatures look rather different to the ones on 18.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
