[v8-dev] Issue 3322 in v8: Segmentation fault in GC (debug mode) with an invalid thread->context_

[codesite-noreply via v8-dev]

Status: New
Owner: ----

New issue 3322 by mjju...@gmail.com: Segmentation fault in GC (debug mode)  
with an invalid thread->context_
http://code.google.com/p/v8/issues/detail?id=3322
We got the following segfault when V8 was doing the GC. This segfault could  
be recreated, and the stacks always ends at  
v8::internal::HeapObject::map_word(this=0x79). Please see the backtrace at  
the bottom.

The invalid memory address comes from the thread->context_ (at frame 5).  
The pointer thread->context_ is invalid, and it is always 0x79 in the debug  
build (but the invalid address in the release build changes from time to  
time). The context_ became invalid after around 40 minutes.

1) This issue is found with v8-3.22.24.19. We can create this at will.  It  
takes about 40 minutes to get it to fail.  We are running with several  
isolates, and several scripts running in parallel.

2) We are trying to reduce our environment to something that we can provide  
you, but that will be difficult as there are several layers involved.  In  
the mean time, are there any traces or dumps or other information that we  
can gather to help you resolve or make progress on this bug?

==
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffed5bd700 (LWP 6487)]
0x00007ffff6a36028 in v8::internal::HeapObject::map_word (this=0x79)  
at ../src/objects-inl.h:1225
1225	  return MapWord(reinterpret_cast<uintptr_t>(READ_FIELD(this,  
kMapOffset)));
(gdb) bt
#0  0x00007ffff6a36028 in v8::internal::HeapObject::map_word (this=0x79)  
at ../src/objects-inl.h:1225
#1  0x00007ffff6a36002 in v8::internal::HeapObject::map (this=0x79)  
at ../src/objects-inl.h:1204
#2  0x00007ffff6cc1950 in v8::internal::ShortCircuitConsString  
(p=0x7fff923ab170) at ../src/mark-compact.cc:1315
#3  0x00007ffff6cc37cb in  
v8::internal::RootMarkingVisitor::MarkObjectByPointer (this=0x7fffed5bbca0,  
p=0x7fff923ab170) at ../src/mark-compact.cc:1825
#4  0x00007ffff6cc3749 in v8::internal::RootMarkingVisitor::VisitPointer  
(this=0x7fffed5bbca0, p=0x7fff923ab170) at ../src/mark-compact.cc:1813
#5  0x00007ffff6c733a4 in v8::internal::Isolate::Iterate  
(this=0x7fff923a8008, v=0x7fffed5bbca0, thread=0x7fff923ab168)  
at ../src/isolate.cc:480
#6  0x00007ffff6c735bd in v8::internal::Isolate::Iterate  
(this=0x7fff923a8008, v=0x7fffed5bbca0) at ../src/isolate.cc:507
#7  0x00007ffff6bc0544 in v8::internal::Heap::IterateStrongRoots  
(this=0x7fff923a8018, v=0x7fffed5bbca0,  
mode=v8::internal::VISIT_ONLY_STRONG) at ../src/heap.cc:6428
#8  0x00007ffff6cc4501 in v8::internal::MarkCompactCollector::MarkRoots  
(this=0x7fff923aac28, visitor=0x7fffed5bbca0) at ../src/mark-compact.cc:2103
#9  0x00007ffff6cc52fb in  
v8::internal::MarkCompactCollector::MarkLiveObjects (this=0x7fff923aac28)  
at ../src/mark-compact.cc:2355
#10 0x00007ffff6cbec66 in  
v8::internal::MarkCompactCollector::CollectGarbage (this=0x7fff923aac28)  
at ../src/mark-compact.cc:410
#11 0x00007ffff6bb0888 in v8::internal::Heap::MarkCompact  
(this=0x7fff923a8018, tracer=0x7fffed5bbee0) at ../src/heap.cc:1128
#12 0x00007ffff6bb0049 in v8::internal::Heap::PerformGarbageCollection  
(this=0x7fff923a8018, collector=v8::internal::MARK_COMPACTOR,  
tracer=0x7fffed5bbee0) at ../src/heap.cc:977
#13 0x00007ffff6baf41b in v8::internal::Heap::CollectGarbage  
(this=0x7fff923a8018, space=v8::internal::OLD_POINTER_SPACE,  
collector=v8::internal::MARK_COMPACTOR,  
gc_reason=0x7ffff6f73080 "StackGuard GC request",
    collector_reason=0x7ffff6f9108f "GC in old space requested")  
at ../src/heap.cc:713
#14 0x00007ffff6a3a2a1 in v8::internal::Heap::CollectGarbage  
(this=0x7fff923a8018, space=v8::internal::OLD_POINTER_SPACE,  
gc_reason=0x7ffff6f73080 "StackGuard GC request") at ../src/heap-inl.h:516
#15 0x00007ffff6baefea in v8::internal::Heap::CollectAllGarbage  
(this=0x7fff923a8018, flags=0, gc_reason=0x7ffff6f73080 "StackGuard GC  
request") at ../src/heap.cc:615
#16 0x00007ffff6b361b1 in  
v8::internal::Execution::HandleStackGuardInterrupt (isolate=0x7fff923a8008)  
at ../src/execution.cc:929
#17 0x00007ffff6daaef9 in v8::internal::__RT_impl_Runtime_Interrupt  
(args=..., isolate=0x7fff923a8008) at ../src/runtime.cc:9465
#18 0x00007ffff6daae86 in v8::internal::Runtime_Interrupt (args_length=0,  
args_object=0x7fffed5bc1a8, isolate=0x7fff923a8008)  
at ../src/runtime.cc:9462
#19 0x000000004080824e in ?? ()
#20 0x00000000408081a1 in ?? ()
   ....
#94 0x0000000000000000 in ?? ()
(gdb) f 5
#5  0x00007ffff6c733a4 in v8::internal::Isolate::Iterate  
(this=0x7fff923a8008, v=0x7fffed5bbca0, thread=0x7fff923ab168)  
at ../src/isolate.cc:480
480       v->VisitPointer(BitCast<Object**>(&(thread->context_)));
(gdb) list
475         v->VisitPointer(&pending);
476         thread->pending_exception_ = pending;  // In case GC updated it.
477       }
478       v->VisitPointer(&(thread->pending_message_obj_));
479	   
v->VisitPointer(BitCast<Object**>(&(thread->pending_message_script_)));
480       v->VisitPointer(BitCast<Object**>(&(thread->context_)));
481       Object* scheduled;
482       if (thread->scheduled_exception_->ToObject(&scheduled)) {
483         v->VisitPointer(&scheduled);
484         thread->scheduled_exception_ = scheduled;
(gdb) p (thread->context_)
$13 = (v8::internal::Context *) 0x79
(gdb) p &(thread->pending_message_script_)
$14 = (v8::internal::Object **) 0x7fff923ab198
(gdb) p thread
$15 = (v8::internal::ThreadLocalTop *) 0x7fff923ab168
(gdb) p *thread
$16 = {
  <v8::internal::Embedded> = {<No data fields>},
  members of v8::internal::ThreadLocalTop:
  isolate_ = 0x7fff923a8008,
  context_ = 0x79,
  thread_id_ = {
    static kInvalidId = -1,
    id_ = 1,
    static highest_thread_id_ = 13
  },
  pending_exception_ = 0x31d7a2704141,
  has_pending_message_ = false,
  rethrowing_message_ = false,
  pending_message_obj_ = 0x31d7a2704141,
  pending_message_script_ = 0x31d7a2704141,
  pending_message_start_pos_ = 124,
  pending_message_end_pos_ = 125,
  scheduled_exception_ = 0x31d7a2704141,
  external_caught_exception_ = false,
  save_context_ = 0x7fffed5bc4c0,
  catcher_ = 0x0,
  c_entry_fp_ = 0x7fffed5bc1a0 "\310\301[\355\377\177",
  handler_ = 0x7fffed5bc400 "",
  js_entry_sp_ = 0x7fffed5bc470 "\260\305[\355\377\177",
  external_callback_scope_ = 0x0,
  current_vm_state_ = v8::internal::GC,
  formal_count_ = 1397965275,
  failed_access_check_callback_ = 0x0,
  top_lookup_result_ = 0x0,
  ignore_out_of_memory_ = true,
  try_catch_handler_address_ = 0x7fffed5bc7a0 "\b\200:\222\377\177"
}


--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.