Issue metadata
Sign in to add a comment
|
Tab hang on infinite loop when executing script code (V8)
Reported by
vyachesl...@innowate.com,
Apr 22 2016
|
||||||||||||||||||||||||
Issue descriptionChrome Version : 50.0.2661.87 m URLs (if applicable) : https://apps.facebook.com/cloudraiders/ Other browsers tested: Firefox: OK IE: OK Chrome: OK (version 49 x86) Chrome: OK (version 50 x64) Chrome Beta: OK (version 51 x86) Chrome Beta: OK (version 51 x64) What steps will reproduce the problem? (1) Follow the link (Facebook login required) (2) Wait for the app to load What is the expected result? App should load What happens instead? Google Chrome tab hangs on infinite loop when executing script code. Minidump of the hang is attached. Since the issue is fixed in the upcoming Beta, hopefully you can back-port the fix the 50.0.* version. Call stack: > 37a3400f() 133184bc() 37a22563() 0e311ff4() 0a9dac59() 0a9daafc() 26a327a0() 39c0e95e() 0a9d9e0c() 26a6024c() 3ea38ad6() 39c0e95e() 39c30001() 39c1e33f() chrome_child.dll!v8::internal::`anonymous namespace'::Invoke(v8::internal::Isolate * isolate, bool is_construct, v8::internal::Handle<v8::internal::Object> target, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * args, v8::internal::Handle<v8::internal::Object> new_target) Line 99 C++ chrome_child.dll!v8::internal::Execution::Call(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> callable, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * argv) Line 164 + 0x1f bytes C++ chrome_child.dll!v8::Function::Call(v8::Local<v8::Context> context, v8::Local<v8::Value> recv, int argc, v8::Local<v8::Value> * argv) Line 4391 + 0x19 bytes C++ chrome_child.dll!blink::V8ScriptRunner::callFunction(v8::Local<v8::Function> function, blink::ExecutionContext * context, v8::Local<v8::Value> receiver, int argc, v8::Local<v8::Value> * args, v8::Isolate * isolate) Line 466 C++ chrome_child.dll!blink::V8FrameRequestCallback::handleEvent(double highResTime) Line 52 + 0x5f bytes C++ chrome_child.dll!blink::FrameRequestCallbackCollection::executeCallbacks(double highResNowMs, double highResNowMsLegacy) Line 68 C++ chrome_child.dll!blink::ScriptedAnimationController::executeCallbacks(double monotonicTimeNow) Line 141 C++ chrome_child.dll!blink::ScriptedAnimationController::serviceScriptedAnimations(double monotonicTimeNow) Line 172 C++ chrome_child.dll!blink::PageAnimator::serviceScriptedAnimations(double monotonicAnimationStartTime) Line 46 C++ chrome_child.dll!blink::PageWidgetDelegate::animate(blink::Page & page, double monotonicFrameBeginTime) Line 57 + 0x14 bytes C++ chrome_child.dll!blink::WebViewImpl::beginFrame(double lastFrameTimeMonotonic) Line 1953 + 0x14 bytes C++ chrome_child.dll!content::RenderWidget::BeginMainFrame(double frame_time_sec) Line 696 C++ chrome_child.dll!content::RenderWidgetCompositor::BeginMainFrame(const cc::BeginFrameArgs & args) Line 924 + 0x17 bytes C++ chrome_child.dll!cc::ProxyMain::BeginMainFrame(scoped_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> > begin_main_frame_state) Line 194 C++ chrome_child.dll!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall cc::ProxyMain::*)(scoped_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >)>,void __cdecl(cc::ProxyMain *,scoped_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >),base::WeakPtr<cc::ProxyMain> &,base::internal::PassedWrapper<scoped_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> > > >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall cc::ProxyMain::*)(scoped_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >)> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 354 + 0x5f bytes C++ chrome_child.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 51 + 0x5 bytes C++ chrome_child.dll!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue * work_queue, scheduler::internal::TaskQueueImpl::Task * out_previous_task) Line 292 C++ chrome_child.dll!scheduler::TaskQueueManager::DoWork(base::TimeTicks run_time, bool from_main_thread) Line 200 + 0xc bytes C++ chrome_child.dll!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall content::WebFileWriterBase::*)(__int64,bool)> >::MakeItSo<base::WeakPtr<content::WebFileWriterImpl>,__int64 const &,bool const &>(base::internal::RunnableAdapter<void (__thiscall content::WebFileWriterBase::*)(__int64,bool)> runnable, base::WeakPtr<content::WebFileWriterImpl> weak_ptr) Line 314 + 0x22 bytes C++ chrome_child.dll!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 354 + 0x25 bytes C++ chrome_child.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 51 + 0x5 bytes C++ chrome_child.dll!base::MessageLoop::RunTask(const base::PendingTask & pending_task) Line 478 C++ chrome_child.dll!base::MessageLoop::DoWork() Line 598 C++ chrome_child.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 34 C++ chrome_child.dll!base::RunLoop::Run() Line 36 C++ chrome_child.dll!base::MessageLoop::Run() Line 294 C++ chrome_child.dll!content::RendererMain(const content::MainFunctionParams & parameters) Line 220 C++ chrome_child.dll!content::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate) Line 395 + 0xa bytes C++ chrome_child.dll!content::ContentMainRunnerImpl::Run() Line 764 + 0x6 bytes C++ chrome_child.dll!content::ContentMain(const content::ContentMainParams & params) Line 19 + 0x7 bytes C++ chrome_child.dll!ChromeMain(HINSTANCE__ * instance, sandbox::SandboxInterfaceInfo * sandbox_info) Line 87 C++ chrome.exe!MainDllLoader::Launch(HINSTANCE__ * instance) Line 184 C++ chrome.exe!wWinMain(HINSTANCE__ * instance, HINSTANCE__ * prev, wchar_t * __formal, wchar_t * __formal) Line 231 C++ chrome.exe!__tmainCRTStartup() Line 251 + 0xe bytes C
,
Apr 25 2016
Tested the same on mac 10.11 chrome version 50.0.2661.87 and canary 52.0.2715.0 navigating to https://apps.facebook.com/cloudraiders/ and the app loaded fine without any issues. Could you please lets us know the OS details where you face the issue
,
Apr 25 2016
The OS is Windows 10, Version 1511, Build 10586.218 (aka Update 2)
,
Apr 25 2016
Make sure you are testing the x86 version of the browser, the x64 build doesn't have this problem.
,
Apr 25 2016
Thank you for providing more feedback. Adding requester "tkonchada@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 27 2016
Able to reproduce this issue on Windows 7 using 50.0.2661.87 (32 bit) with below steps: 1.Opened URl: https://apps.facebook.com/cloudraiders/ and logged into facebook. 2.Observed that tab became unresponsive. Unable to reproduce the issue on Windows 7 using latest chrome canary 52.0.2718.0, dev 52.0.2716.0, beta 51.0.2704.22. Please find below bisect info: Good build:51.0.2688.0 Bad build:51.0.2687.0 CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/c84d04ac9fdf9752bd3ea79180df7ba5cca2a6cb..58a16b337a63ba6cee9ce51c42bd6dc160114b80 From above Cl, suspecting V8 CL below: https://chromium.googlesource.com/chromium/src/+/a8c32f059f62e4b242fe7a6d00b6fcf0dc9f81d0 Markint it as untriaged and ccing v8 sheriffs. Could anyone from cc list look into this issue please. Note:Working fine on Mac 10.10.5, Ubuntu 14.04.
,
Apr 27 2016
Increasing priority and adding 'ReleaseBlock-Stable' for next stable refresh on M-50. Crash ID 8bb98aac00000000.
,
Apr 27 2016
Seems related to https://codereview.chromium.org/1818323002. Presumably that fix triggers another bug; maybe the register allocator gets confused when the same register is both an input and a temp? Maybe "0D27772F mov edi,eax" intended to save the *original* value of eax, before it got clobbered by the div?
,
Apr 27 2016
We are also having a similar issue with the browser hang in a different game: https://apps.facebook.com/tribezatwar/ (Facebook login required) It hangs shortly after loading in the 50.0.2661.87 m (64-bit) version of Chrome browser on Windows 10 and Mac OS X as well. We don't have this issue in Chrome 49.* and 50.0.2661.87 m (32-bit) version of the browser. Firefox and Edge were also tested and they don't experience this issue. While I'm not certain that the issue is the same, the infinite loop that is being executed does contain two idiv instructions which might be related. PS. Tell me if I should submit a separate issue for this
,
Apr 27 2016
This is not a blocker for M-50 stable but for M-51 stable according to #7.
,
Apr 27 2016
#10: Please open another issue
,
Apr 27 2016
#1: could you please add the asm.js file that causes the problem? I saw the snippet in comment 1, but I think it's best I had the full context available, to make sure instruction selection and register allocation have the same input. Thanks!
,
Apr 27 2016
Here is the snapshot of the code. The function that is miscompiled is named 'function Ije(b,d)'
,
Apr 27 2016
Thanks for the repro! I was able to extract out the attached, and observe the matching codegen. I was then able to confirm that https://codereview.chromium.org/1818323002 fixes this issue. That fix (https://codereview.chromium.org/1818323002) is not incorporated in the v8 version (5.0.71.33) shipping with chromium 50.0.2661.87. The first v8 version my change is incorporated in is 5.1.191. This means the earliest version of chromium with the fix is 51.0.2704.22.
,
Apr 28 2016
Ah, sorry, I realize now that in #9 I got confused about what changed when. Since https://codereview.chromium.org/1818323002 fixes the issue, that patch should be merged back to the 5.0 branch. This also doesn't block M51 because it's already fixed in M51.
,
Apr 28 2016
,
Apr 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b3568eae798060d8e980b7309b85175e10cd330b commit b3568eae798060d8e980b7309b85175e10cd330b Author: Jakob Kummerow <jkummerow@chromium.org> Date: Fri Apr 29 10:08:26 2016 Version 5.0.71.42 (cherry-pick) Merged 1da4b88e8200172eab71bc71253a8adf0e08b466 [turbofan] Fix operands for VisitDiv on Intel. R=hablich@chromium.org BUG= chromium:605925 Review URL: https://codereview.chromium.org/1933653002 . Cr-Commit-Position: refs/branch-heads/5.0@{#50} Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1} Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215} [modify] https://crrev.com/b3568eae798060d8e980b7309b85175e10cd330b/include/v8-version.h [modify] https://crrev.com/b3568eae798060d8e980b7309b85175e10cd330b/src/compiler/ia32/instruction-selector-ia32.cc [modify] https://crrev.com/b3568eae798060d8e980b7309b85175e10cd330b/src/compiler/x64/instruction-selector-x64.cc
,
May 2 2016
,
May 2 2016
,
May 13 2016
Tested the issue on Windows 7, Windows 10 using latest stable 50.0.2661.102 (32 bit), canary 52.0.2734.0 (32 bit).App loaded successfully with Facebook login. Please find attached screencast. Marking it as TE-Verified.
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by vyachesl...@innowate.com
, Apr 22 2016basically, we have the following JS code (asm.js): do { m = b + r | 0; a[m >> 0] = a[q + ((r >>> 0) % (p >>> 0) | 0) >> 0] ^ a[m >> 0]; r = r + 1 | 0 } while((r | 0) != (d | 0)); which translates into 0D277700 xor edx,edx 0D277702 cmp esp,dword ptr ds:[1181D40h] 0D277708 jbe 0D277B84 0D27770E cmp ecx,0 0D277711 je 0D27772F 0D277717 lea edi,[ecx-1] 0D27771A test edi,ecx 0D27771C jne 0D27772B 0D277722 and edi,eax 0D277724 mov edx,edi 0D277726 jmp 0D27772F 0D27772B xor edx,edx 0D27772D div eax,ecx 0D27772F mov edi,eax 0D277731 lea eax,[ebx+edx] 0D277734 cmp eax,0C000000h 0D277739 jae 0D277CB0 0D27773F movsx eax,byte ptr [eax-7FFFC000h] 0D277746 lea edx,[esi+edi] 0D277749 cmp edx,0C000000h 0D27774F jae 0D277CA9 0D277755 movsx ecx,byte ptr [edx-7FFFC000h] 0D27775C xor ecx,eax 0D27775E mov eax,edx 0D277760 mov edx,ecx 0D277762 cmp eax,0C000000h 0D277767 jae 0D27776F 0D277769 mov byte ptr [eax-7FFFC000h],dl 0D27776F lea eax,[edi+1] 0D277772 mov ecx,dword ptr [ebp-18h] 0D277775 cmp ecx,eax 0D277777 je 0D277785 0D27777D mov ecx,dword ptr [ebp-28h] 0D277780 jmp 0D277700 so, the end of the loop adds 1 // r = r + 1 | 0 0D27776F lea eax,[edi+1] but after the next iteration is performed, eax and edi are both reset to 0 by 0D27772D div eax,ecx ; eax is 0 or 1 at this point 0D27772F mov edi,eax this leads to an infinite loop