Issue 612146 link

Starred by 2 users

Issue metadata

Status:	Fixed
Owner:	jarin@chromium.org
Closed:	Jun 2016
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug-Regression
Stability-Crash Reproducible

Renderer crash on zhytomyr.dozor-gps.com.ua

Project Member Reported by ha...@opera.com, May 16 2016

Issue description

Version: 52.0.2738.0 canary (64-bit)
OS: Win7

What steps will reproduce the problem?
(1) Load http://zhytomyr.dozor-gps.com.ua/
(2) Wait a bit.

Renderer crash in Canary.

Comment 1 by sigbjo...@opera.com, May 25 2016

Components: Blink>JavaScript
Labels: -Pri-3 Pri-2

Stack:

 	v8.dll!v8::base::OS::Abort() Line 836	C++
 	v8.dll!v8::internal::Isolate::PushStackTraceAndDie(unsigned int magic, void * ptr1, void * ptr2, unsigned int magic2) Line 313	C++
 	v8.dll!v8::internal::LookupIterator::GetRootForNonJSReceiver(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> receiver, unsigned int index) Line 138	C++
 	v8.dll!v8::internal::LookupIterator::LookupIterator(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> receiver, unsigned int index, v8::internal::LookupIterator::Configuration configuration) Line 90	C++
>	v8.dll!v8::internal::LookupIterator::PropertyOrElement(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::Handle<v8::internal::Object> key, bool * success, v8::internal::LookupIterator::Configuration configuration) Line 45	C++
 	v8.dll!v8::internal::Runtime::GetObjectProperty(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> object, v8::internal::Handle<v8::internal::Object> key) Line 31	C++
 	v8.dll!v8::internal::KeyedLoadIC::Load(v8::internal::Handle<v8::internal::Object> object, v8::internal::Handle<v8::internal::Object> key) Line 1396	C++
 	v8.dll!v8::internal::__RT_impl_Runtime_KeyedLoadIC_Miss(v8::internal::Arguments args, v8::internal::Isolate * isolate) Line 2313	C++
 	v8.dll!v8::internal::Runtime_KeyedLoadIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2298	C++
 	[External Code]	
 	v8.dll!v8::internal::`anonymous namespace'::Invoke(v8::internal::Isolate * isolate, bool is_construct, v8::internal::Handle<v8::internal::Object> target, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * args, v8::internal::Handle<v8::internal::Object> new_target) Line 98	C++
 	v8.dll!v8::internal::Execution::Call(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::Object> callable, v8::internal::Handle<v8::internal::Object> receiver, int argc, v8::internal::Handle<v8::internal::Object> * argv) Line 154	C++
 	v8.dll!v8::Function::Call(v8::Local<v8::Context> context, v8::Local<v8::Value> recv, int argc, v8::Local<v8::Value> * argv) Line 4467	C++
 	webcore_shared.dll!blink::V8ScriptRunner::callFunction(v8::Local<v8::Function> function, blink::ExecutionContext * context, v8::Local<v8::Value> receiver, int argc, v8::Local<v8::Value> * args, v8::Isolate * isolate) Line 467	C++
 	webcore_shared.dll!blink::ScriptController::callFunction(blink::ExecutionContext * context, v8::Local<v8::Function> function, v8::Local<v8::Value> receiver, int argc, v8::Local<v8::Value> * info, v8::Isolate * isolate) Line 120	C++
 	webcore_shared.dll!blink::ScriptController::callFunction(v8::Local<v8::Function> function, v8::Local<v8::Value> receiver, int argc, v8::Local<v8::Value> * info) Line 115	C++
 	webcore_shared.dll!blink::V8EventListener::callListenerFunction(blink::ScriptState * scriptState, v8::Local<v8::Value> jsEvent, blink::Event * event) Line 95	C++
 	webcore_shared.dll!blink::V8AbstractEventListener::invokeEventHandler(blink::ScriptState * scriptState, blink::Event * event, v8::Local<v8::Value> jsEvent) Line 130	C++
 	webcore_shared.dll!blink::V8AbstractEventListener::handleEvent(blink::ScriptState * scriptState, blink::Event * event) Line 96	C++
 	webcore_shared.dll!blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext * executionContext, blink::Event * event) Line 84	C++
 	webcore_shared.dll!blink::EventTarget::fireEventListeners(blink::Event * event, blink::EventTargetData * d, blink::HeapVector<blink::RegisteredEventListener,1> & entry) Line 571	C++
 	webcore_shared.dll!blink::EventTarget::fireEventListeners(blink::Event * event) Line 488	C++
 	webcore_shared.dll!blink::EventTarget::dispatchEventInternal(blink::Event * event) Line 400	C++
 	webcore_shared.dll!blink::EventTarget::dispatchEvent(blink::Event * event) Line 392	C++
 	webcore_shared.dll!blink::XMLHttpRequestProgressEventThrottle::dispatchProgressEvent(const WTF::AtomicString & type, bool lengthComputable, unsigned __int64 loaded, unsigned __int64 total) Line 90	C++
 	webcore_shared.dll!blink::XMLHttpRequest::dispatchProgressEvent(const WTF::AtomicString & type, __int64 receivedLength, __int64 expectedLength) Line 1085	C++
 	webcore_shared.dll!blink::XMLHttpRequest::dispatchProgressEventFromSnapshot(const WTF::AtomicString & type) Line 1092	C++
 	webcore_shared.dll!blink::XMLHttpRequest::dispatchReadyStateChangeEvent() Line 522	C++
 	webcore_shared.dll!blink::XMLHttpRequest::changeState(blink::XMLHttpRequest::State newState) Line 498	C++
 	webcore_shared.dll!blink::XMLHttpRequest::endLoading() Line 1491	C++
 	webcore_shared.dll!blink::XMLHttpRequest::didFinishLoadingInternal() Line 1421	C++
 	webcore_shared.dll!blink::XMLHttpRequest::didFinishLoading(unsigned long identifier, double __formal) Line 1394	C++
 	webcore_shared.dll!blink::DocumentThreadableLoader::handleSuccessfulFinish(unsigned long identifier, double finishTime) Line 789	C++
 	webcore_shared.dll!blink::DocumentThreadableLoader::notifyFinished(blink::Resource * resource) Line 764	C++
 	webcore_shared.dll!blink::Resource::checkNotify() Line 371	C++
 	webcore_shared.dll!blink::Resource::finish(double loadFinishTime) Line 440	C++
 	webcore_shared.dll!blink::ResourceFetcher::didFinishLoading(blink::Resource * resource, double finishTime, __int64 encodedDataLength, blink::ResourceFetcher::DidFinishLoadingReason finishReason) Line 900	C++
 	webcore_shared.dll!blink::ResourceLoader::didFinishLoading(blink::WebURLLoader * __formal, double finishTime, __int64 encodedDataLength) Line 211	C++
 	content.dll!content::WebURLLoaderImpl::Context::OnCompletedRequest(int error_code, bool was_ignored_by_handler, bool stale_copy_in_cache, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info, const base::TimeTicks & completion_time, __int64 total_transfer_size) Line 787	C++
 	content.dll!content::WebURLLoaderImpl::RequestPeerImpl::OnCompletedRequest(int error_code, bool was_ignored_by_handler, bool stale_copy_in_cache, const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & security_info, const base::TimeTicks & completion_time, __int64 total_transfer_size) Line 936	C++
 	content.dll!content::ResourceDispatcher::OnRequestComplete(int request_id, const ResourceMsg_RequestCompleteData & request_complete_data) Line 376	C++
 	content.dll!base::DispatchToMethodImpl<content::ResourceDispatcher *,void (__thiscall content::ResourceDispatcher::*)(int,ResourceMsg_RequestCompleteData const &),int,ResourceMsg_RequestCompleteData,0,1>(content::ResourceDispatcher * const & obj, void(content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &) method, const std::tuple<int,ResourceMsg_RequestCompleteData> & arg, base::IndexSequence<0,1> __formal) Line 166	C++
 	content.dll!base::DispatchToMethod<content::ResourceDispatcher *,void (__thiscall content::ResourceDispatcher::*)(int,ResourceMsg_RequestCompleteData const &),int,ResourceMsg_RequestCompleteData>(content::ResourceDispatcher * const & obj, void(content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &) method, const std::tuple<int,ResourceMsg_RequestCompleteData> & arg) Line 173	C++
 	content.dll!IPC::DispatchToMethod<content::ResourceDispatcher,void (__thiscall content::ResourceDispatcher::*)(int,ResourceMsg_RequestCompleteData const &),void,std::tuple<int,ResourceMsg_RequestCompleteData> >(content::ResourceDispatcher * obj, void(content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &) method, void * __formal, const std::tuple<int,ResourceMsg_RequestCompleteData> & tuple) Line 26	C++
 	content.dll!IPC::MessageT<ResourceMsg_RequestComplete_Meta,std::tuple<int,ResourceMsg_RequestCompleteData>,void>::Dispatch<content::ResourceDispatcher,content::ResourceDispatcher,void,void (__thiscall content::ResourceDispatcher::*)(int,ResourceMsg_RequestCompleteData const &)>(const IPC::Message * msg, content::ResourceDispatcher * obj, content::ResourceDispatcher * sender, void * parameter, void(content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &) func) Line 121	C++
 	content.dll!content::ResourceDispatcher::DispatchMessageW(const IPC::Message & message) Line 507	C++
 	content.dll!content::ResourceDispatcher::OnMessageReceived(const IPC::Message & message) Line 125	C++
 	content.dll!content::ResourceSchedulingFilter::DispatchMessageW(const IPC::Message & message) Line 99	C++
 	content.dll!content::`anonymous namespace'::DispatchMessageTask::run() Line 32	C++
 	scheduler.dll!scheduler::WebTaskRunnerImpl::runTask(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > task) Line 70	C++
 	scheduler.dll!base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>::Run<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > >(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > && <args_0>) Line 159	C++
 	scheduler.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)> >::MakeItSo<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > >(base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)> runnable, std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > && <args_0>) Line 312	C++
 	scheduler.dll!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void __cdecl(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 362	C++
 	base.dll!base::Callback<void __cdecl(void),1>::Run() Line 397	C++
 	base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 53	C++
 	scheduler.dll!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue * work_queue, scheduler::internal::TaskQueueImpl::Task * out_previous_task) Line 289	C++
 	scheduler.dll!scheduler::TaskQueueManager::DoWork(base::TimeTicks run_time, bool from_main_thread) Line 201	C++
 	scheduler.dll!base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>::Run<scheduler::TaskQueueManager *,base::TimeTicks const &,bool const &>(scheduler::TaskQueueManager * && receiver_ptr, const base::TimeTicks & <args_0>, const bool & <args_1>) Line 186	C++
 	scheduler.dll!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >::MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks const &,bool const &>(base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> runnable, base::WeakPtr<scheduler::TaskQueueManager> weak_ptr, const base::TimeTicks & <args_0>, const bool & <args_1>) Line 325	C++
 	scheduler.dll!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks,bool>,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 362	C++
 	base.dll!base::Callback<void __cdecl(void),1>::Run() Line 397	C++
 	base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 53	C++
 	base.dll!base::MessageLoop::RunTask(const base::PendingTask & pending_task) Line 479	C++
 	base.dll!base::MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task) Line 490	C++
 	base.dll!base::MessageLoop::DoWork() Line 604	C++
 	base.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 33	C++
 	base.dll!base::MessageLoop::RunHandler() Line 442	C++
 	base.dll!base::RunLoop::Run() Line 36	C++
 	base.dll!base::MessageLoop::Run() Line 295	C++
 	content.dll!content::RendererMain(const content::MainFunctionParams & parameters) Line 199	C++
 	content.dll!content::RunNamedProcessTypeMain(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & process_type, const content::MainFunctionParams & main_function_params, content::ContentMainDelegate * delegate) Line 420	C++
 	content.dll!content::ContentMainRunnerImpl::Run() Line 787	C++
 	content.dll!content::ContentMain(const content::ContentMainParams & params) Line 20	C++
 	content_shell.exe!wWinMain(HINSTANCE__ * instance, HINSTANCE__ * __formal, wchar_t * __formal, int __formal) Line 33	C++
 	[External Code]

Comment 2 by sigbjo...@opera.com, May 25 2016

Quite similar to issue 611555

Comment 3 by sigbjo...@opera.com, May 29 2016

Labels: -Type-Bug Stability-Crash Reproducible Type-Bug-Regression

Comment 4 by hablich@chromium.org, May 31 2016

Labels: -Pri-2 Pri-1
Owner: cbruni@chromium.org
Status: Assigned (was: Untriaged)

Can reproduce on Mac, crashID 99846d9a00000000. Can you please have a look Camillo?

I am running Ignition btw, if it should make a difference.

Comment 5 by cbruni@chromium.org, May 31 2016

We get the optimized_out Oddball as a receiver for the KeyLoadIC lookup.

Security context: 0x2d7c063dad49 <String[32]: http://zhytomyr.dozor-gps.com.ua>
    1: get [http://zhytomyr.dozor-gps.com.ua/js/gts.common.js:264] 
        [pc=0x340d565f942b](this=0x3bbe5b645151 <a HashMap with map 0x1827b3fe3d79>#0#)
    2: arguments adaptor frame: 1->0
    3: fnInitializeMapRoutes [http://zhytomyr.dozor-gps.com.ua/:533]
        [pc=0x340d552b5a23](this=0x18412f005309 <JS Global Object>#1#)
    4: onLoad [http://zhytomyr.dozor-gps.com.ua/:1367]
        [pc=0x340d552b5256](this=0x3bbe5b677c59 <an Object with map 0x1827b3fe5531>#2#)
    5: arguments adaptor frame: 1->0
    6: success [http://zhytomyr.dozor-gps.com.ua/js/gts.monitor.js:562]
        [pc=0x340d552b4d77](this=0x3bbe5b67d961 <an Object with map 0x1827b3fe0c51>#3#,data=0x1ba91ed885b1 <Very long string[302567]>#4#)
    7: arguments adaptor frame: 3->1
    8: j [http://zhytomyr.dozor-gps.com.ua/js/jquery.js:2]
        [pc=0x340d553933a0](this=0x18412f005309 <JS Global Object>#1#,l=0x1ba91ed892c9 <JS Array[2]>#5#)
    9: resolveWith(aka fireWith) [http://zhytomyr.dozor-gps.com.ua/js/jquery.js:2]
        [pc=0x340d55393048](this=0x3bbe5b67fb61 <an Object with map 0x1827b3fe2bf1>#6#,a=0x3bbe5b67d961 <an Object with map 0x1827b3fe0c51>#3#,b=0x1ba91ed892c9 <JS Array[2]>#5#)
   10: x [http://zhytomyr.dozor-gps.com.ua/js/jquery.js:4]
        [pc=0x340d565ecb68](this=0x18412f005309 <JS Global Object>#1#,a=200,b=0xbe9327051d9 <String[2]: OK>,f=0x1ba91ed88601 <an Object with map 0x1827b3fe23b1>#7#,h=0x1ba91ed88631 <String[265]\: Pragma: no-cache\r\nDate: Tue, 31 May 2016 11:13:20 GMT\r\nContent-Encoding: gzip\r\nServer: Apache-Coyote/1.1\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html;charset=UTF-8\r\nCache-Control: no-cache, no-store, must-revalidate\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\n>)
   11: /* anonymous */ [http://zhytomyr.dozor-gps.com.ua/js/jquery.js:4]
        [pc=0x340d565ec286](this=0x3bbe5b6818e9 <an XMLHttpRequest with map 0x1827b3f928b9>#8#)
   12: arguments adaptor frame: 1->0

==== Details ================================================

[1]: get [http://zhytomyr.dozor-gps.com.ua/js/gts.common.js:264] [pc=0x340d565f942b](this=0x3bbe5b645151 <a HashMap with map 0x1827b3fe3d79>#0#) {
  // stack-allocated locals
  var arguments = 0x7eb0101a049 <an Arguments with map 0x383072022de9>#9#
  var _arguments = 0x927d5806779 <Odd Oddball: optimized_out>
  var _result = 0x927d5806779 <Odd Oddball: optimized_out>
  var _i = 0x927d5806779 <Odd Oddball: optimized_out>
  var _value = 0x927d5806779 <Odd Oddball: optimized_out>
  var _indexKey = 0x927d5804311 <undefined>
  // expression stack (top to bottom)
  [11] : 0x2c747f917f81 <FixedArray[65]>#10#
  [10] : 61
  [09] : 0
  [08] : 0x927d5806779 <Odd Oddball: optimized_out>
  [07] : 0x3bbe5b645151 <a HashMap with map 0x1827b3fe3d79>#0#
  [06] : 0x28cfec112509 <JS Function HashMap.indexOf (SharedFunctionInfo 0x812358e0c1)>#11#
--------- s o u r c e   c o d e ---------
function () {\x0a      var _arguments = arguments;\x0a      var _result = null;\x0a      var _i = 0;\x0a      var _value = null;\x0a      if (_arguments[0] instanceof gts.common.ArrayList) {\x0a        _result = new gts.common.ArrayList();\x0a        _i = _arguments[0].size();\x0a        _value = null;\x0a        while (_i--) {\x0a      ...

-----------------------------------------
}

[2]: arguments adaptor frame: 1->0 {
  // actual arguments
  [00] : 7729  // not passed to callee
}

[3]: fnInitializeMapRoutes [http://zhytomyr.dozor-gps.com.ua/:533] [pc=0x340d552b5a23](this=0x18412f005309 <JS Global Object>#1#) {
  // stack-allocated locals
  var .switch_tag = 0x927d5804311 <undefined>
  var _routesMap = 0x7eb01019ca9 <a HashMap with map 0x1827b3fd9719>#12#
  var _route = 0x39c6866b2249 <an Object with map 0x2f39edc1dab9>#13#
  var _routeMap = 0x927d5804201 <null>
  var _lines = 0x7eb01019f29 <JS Array[0]>#14#
  var _zones = 0x7eb01019f89 <JS Array[0]>#15#
  var _labels = 0x7eb01019fe9 <JS Array[0]>#16#
  var _line = 0x927d5804201 <null>
  var _zone = 0x927d5804201 <null>
  var _path = 0x927d5804201 <null>
  var _i0 = 34
  var _i1 = 57
  var _i2 = 0
  // expression stack (top to bottom)
  [15] : 7729
  [14] : 0x3bbe5b645151 <a HashMap with map 0x1827b3fe3d79>#0#
  [13] : 0x28cfec112551 <JS Function HashMap.get (SharedFunctionInfo 0x812358e189)>#17#
--------- s o u r c e   c o d e ---------
function fnInitializeMapRoutes() {\x0a    var _routesMap = new gts.common.HashMap();\x0a    var _route = null;\x0a    var _routeMap = null;\x0a    var _lines = null;\x0a    var _zones = null;\x0a    var _labels = null;\x0a    var _line = null;\x0a    var _zone = null;\x0a    var _path = null;\x0a    var _i0 = 0;\x0a    var _i1 = 0;\x0a    var _i2 = 0;\x0a\x0a    if (goo...

-----------------------------------------
}

[4]: onLoad [http://zhytomyr.dozor-gps.com.ua/:1367] [pc=0x340d552b5256](this=0x3bbe5b677c59 <an Object with map 0x1827b3fe5531>#2#) {
  // expression stack (top to bottom)
  [01] : 0x18412f005309 <JS Global Object>#1#
  [00] : 0x8123594179 <JS Function fnInitializeMapRoutes (SharedFunctionInfo 0x81235923a9)>#18#
--------- s o u r c e   c o d e ---------
function () {\x0a          fnInitializeMapRoutes();\x0a        }
-----------------------------------------
}

[5]: arguments adaptor frame: 1->0 {
  // actual arguments
  [00] : 0x3bbe5b677c59 <an Object with map 0x1827b3fe5531>#2#  // not passed to callee
}

[6]: success [http://zhytomyr.dozor-gps.com.ua/js/gts.monitor.js:562] [pc=0x340d552b4d77](this=0x3bbe5b67d961 <an Object with map 0x1827b3fe0c51>#3#,data=0x1ba91ed885b1 <Very long string[302567]>#4#) {
  // stack-allocated locals
  var _json = 0x233a395fd5c1 <an Object with map 0x1827b3fd2c31>#19#
  var _i = 1892
  var _route = 0x39c6866b1de9 <an Object with map 0x2f39edc1dab9>#20#
  var _routeId = 908
  var _routeLine = 0x2ed8bb249da9 <an Object with map 0x1827b3fcc251>#21#
  var _l = 1892
  // expression stack (top to bottom)
  [08] : 0x3bbe5b677c59 <an Object with map 0x1827b3fe5531>#2#
  [07] : 0x3bbe5b677c59 <an Object with map 0x1827b3fe5531>#2#
  [06] : 0x3bbe5b681cd9 <JS Function (SharedFunctionInfo 0x28cfec119841)>#22#
--------- s o u r c e   c o d e ---------
function (data) {\x0a      var _json = null;\x0a      var _i = 0;\x0a      var _route = null;\x0a      var _routeId = 0;\x0a      var _routeLine = null;\x0a      var _l = 0;\x0a      try {\x0a        _json = JSON.parse(data);\x0a      } catch (e) {\x0a      }\x0a      if (_json && gts.common.checkResponse(_json)) {\x0a        if (gts.monitor.r...

-----------------------------------------

Comment 6 by cbruni@chromium.org, May 31 2016

Owner: jarin@chromium.org

--noanalyze-environment-liveness fixes the issue.

Last Deopt:

[deoptimizing (DEOPT eager): begin 0x272d4a9af8d9 <JS Function HashMap.get (SharedFunctionInfo 0x272d4a9a7af1)> (opt #242) @13, FP to SP delta: 32, caller sp: 0x7fad762a0298]
            ;;; deoptimize at 6114: instance migration failed
  reading input frame HashMap.get => node=272, args=1, height=7; inputs:
      0: 0x272d4a9af8d9 ; [fp - 16] 0x272d4a9af8d9 <JS Function HashMap.get (SharedFunctionInfo 0x272d4a9a7af1)>
      1: 0x3455c7ba6a71 ; rdx 0x3455c7ba6a71 <a HashMap with map 0x36a97b233069>
      2: 0x17e4475c9e09 ; [fp - 24] 0x17e4475c9e09 <FixedArray[6]>
      3: argumets object #0 (length = 0)
      4: 0x254ba3306779 ; (literal 2) 0x254ba3306779 <Odd Oddball: optimized_out>
      5: 0x254ba3306779 ; (literal 2) 0x254ba3306779 <Odd Oddball: optimized_out>
      6: 0x254ba3306779 ; (literal 2) 0x254ba3306779 <Odd Oddball: optimized_out>
      7: 0x254ba3306779 ; (literal 2) 0x254ba3306779 <Odd Oddball: optimized_out>
      8: 0x254ba3304311 ; (literal 1) 0x254ba3304311 <undefined>
  translating frame HashMap.get => node=272, height=48
    0x7fad762a0290: [top + 80] <- 0x3455c7ba6a71 ;  0x3455c7ba6a71 <a HashMap with map 0x36a97b233069>  (input #1)
    0x7fad762a0288: [top + 72] <- 0x277579e08ed5 ;  caller's pc
    0x7fad762a0280: [top + 64] <- 0x7fad762a02b0 ;  caller's fp
    0x7fad762a0278: [top + 56] <- 0x17e4475c9e09 ;  context    0x17e4475c9e09 <FixedArray[6]>  (input #2)
    0x7fad762a0270: [top + 48] <- 0x272d4a9af8d9 ;  function    0x272d4a9af8d9 <JS Function HashMap.get (SharedFunctionInfo 0x272d4a9a7af1)>  (input #0)
    0x7fad762a0268: [top + 40] <- 0x254ba3304529 ;  0x254ba3304529 <Odd Oddball: arguments_marker>  (input #3)
    0x7fad762a0260: [top + 32] <- 0x254ba3306779 ;  0x254ba3306779 <Odd Oddball: optimized_out>  (input #4)
    0x7fad762a0258: [top + 24] <- 0x254ba3306779 ;  0x254ba3306779 <Odd Oddball: optimized_out>  (input #5)
    0x7fad762a0250: [top + 16] <- 0x254ba3306779 ;  0x254ba3306779 <Odd Oddball: optimized_out>  (input #6)
    0x7fad762a0248: [top + 8] <- 0x254ba3306779 ;  0x254ba3306779 <Odd Oddball: optimized_out>  (input #7)
    0x7fad762a0240: [top + 0] <- 0x254ba3304311 ;  0x254ba3304311 <undefined>  (input #8)
[deoptimizing (eager): end 0x272d4a9af8d9 <JS Function HashMap.get (SharedFunctionInfo 0x272d4a9a7af1)> @13 => node=272, pc=0x27757b619e0b, caller sp=0x7fad762a0298, state=NO_REGISTERS, took 0.375 ms]
Materialization [0x7fad762a0268] <- 0x255e02c66579 ;  0x255e02c66579 <an Arguments with map 0x2fcf0da5f0c1>
[removing optimized code for: HashMap.get]

Comment 7 by jarin@chromium.org, Jun 1 2016

Small repro for d8 --allow-natives-syntax:

function f() {
  var arguments_ = arguments;
  if (undefined) {
    while (true) {
      arguments_[0];
    }
  } else {
    %DeoptimizeNow();
    return arguments_[0];
  }
};

f(0);
f(0);
%OptimizeFunctionOnNextCall(f);
f(0);

Project Member

Comment 8 by bugdroid1@chromium.org, Jun 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1428fbe224dc2df0cb6f59e4959430f7aa614064

commit 1428fbe224dc2df0cb6f59e4959430f7aa614064
Author: jarin <jarin@chromium.org>
Date: Wed Jun 01 12:03:27 2016

[crankshaft] Only exclude explicit 'arguments' (and 'this') from liveness analysis.

Currently, we do not emit EnvironmentMarkers if the hydrogen value
in the environment is arguments object. As the hydrogen value can change
for local variables, we emit only some environment markers. That can
cause environment liveness analysis to mark part of live range as live
and part as dead. The zapping phase then only inserts zaps in
live->dead transitions, potentially zapping a live value.

With this CL, we only emit EnvironmentMarkers for 'this' and
'arguments' local variables, disregarding the hydrogen value.

BUG= chromium:612146 
LOG=n

Review-Url: https://codereview.chromium.org/2026173003
Cr-Commit-Position: refs/heads/master@{#36641}

[modify] https://crrev.com/1428fbe224dc2df0cb6f59e4959430f7aa614064/src/crankshaft/hydrogen.h
[add] https://crrev.com/1428fbe224dc2df0cb6f59e4959430f7aa614064/test/mjsunit/regress/regress-612146.js

Project Member

Comment 9 by bugdroid1@chromium.org, Jun 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8b0a6dd6522f0253f6a7301d32e53ff7873a0238

commit 8b0a6dd6522f0253f6a7301d32e53ff7873a0238
Author: machenbach <machenbach@chromium.org>
Date: Wed Jun 01 12:44:36 2016

Revert of [crankshaft] Only exclude explicit 'arguments' (and 'this') from liveness analysis. (patchset #2 id:20001 of https://codereview.chromium.org/2026173003/ )

Reason for revert:
Triggers crashes on the deopt fuzzer:
https://build.chromium.org/p/client.v8/builders/V8%20Deopt%20Fuzzer/builds/10608

Repro:
out/Release/d8 --test --random-seed=849179141 --deopt-every-n-times 149 --nohard-abort --nodead-code-elimination --nofold-constants --noconcurrent-recompilation test/webkit/resources/standalone-pre.js test/webkit/dfg-arguments-mixed-alias.js test/webkit/resources/standalone-post.js

Original issue's description:
> [crankshaft] Only exclude explicit 'arguments' (and 'this') from liveness analysis.
>
> Currently, we do not emit EnvironmentMarkers if the hydrogen value
> in the environment is arguments object. As the hydrogen value can change
> for local variables, we emit only some environment markers. That can
> cause environment liveness analysis to mark part of live range as live
> and part as dead. The zapping phase then only inserts zaps in
> live->dead transitions, potentially zapping a live value.
>
> With this CL, we only emit EnvironmentMarkers for 'this' and
> 'arguments' local variables, disregarding the hydrogen value.
>
> BUG= chromium:612146 
> LOG=n
>
> Committed: https://crrev.com/1428fbe224dc2df0cb6f59e4959430f7aa614064
> Cr-Commit-Position: refs/heads/master@{#36641}

TBR=jkummerow@chromium.org,jarin@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:612146 

Review-Url: https://codereview.chromium.org/2029563002
Cr-Commit-Position: refs/heads/master@{#36644}

[modify] https://crrev.com/8b0a6dd6522f0253f6a7301d32e53ff7873a0238/src/crankshaft/hydrogen.h
[delete] https://crrev.com/dc78e0d4d7f8e67d99165ee4fc5cc118e1be2a9f/test/mjsunit/regress/regress-612146.js

Project Member

Comment 10 by bugdroid1@chromium.org, Jun 2 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0d4c526a1dff8747838fe4269ab23522499a89fc

commit 0d4c526a1dff8747838fe4269ab23522499a89fc
Author: jarin <jarin@chromium.org>
Date: Thu Jun 02 04:27:33 2016

[crankshaft] Reland "Only exclude explicit 'arguments' (and 'this') from liveness analysis."

Reland of https://codereview.chromium.org/2026173003 (reverted by
https://codereview.chromium.org/2029563002).

Additionally, we need to record environment markers even for the
case of a.length, where a is aliased arguments (which crankshaft
optimizes to constant for the inlined case or to HArgumentsLength
when not inlined).

BUG= chromium:612146 

Review-Url: https://codereview.chromium.org/2028243002
Cr-Commit-Position: refs/heads/master@{#36662}

[modify] https://crrev.com/0d4c526a1dff8747838fe4269ab23522499a89fc/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/0d4c526a1dff8747838fe4269ab23522499a89fc/src/crankshaft/hydrogen.h
[add] https://crrev.com/0d4c526a1dff8747838fe4269ab23522499a89fc/test/mjsunit/regress/regress-612146.js

Comment 11 by jarin@chromium.org, Jun 9 2016

Status: Fixed (was: Assigned)

►

Issue 612146 link

Issue metadata

Renderer crash on zhytomyr.dozor-gps.com.ua

Issue description

Comment 1 by sigbjo...@opera.com, May 25 2016

Comment 1 Deleted

Comment 2 by sigbjo...@opera.com, May 25 2016

Comment 2 Deleted

Comment 3 by sigbjo...@opera.com, May 29 2016

Comment 3 Deleted

Comment 4 by hablich@chromium.org, May 31 2016

Comment 4 Deleted

Comment 5 by cbruni@chromium.org, May 31 2016

Comment 5 Deleted

Comment 6 by cbruni@chromium.org, May 31 2016

Comment 6 Deleted

Comment 7 by jarin@chromium.org, Jun 1 2016

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, Jun 1 2016

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Jun 1 2016

Comment 9 Deleted

Comment 10 by bugdroid1@chromium.org, Jun 2 2016

Comment 10 Deleted

Comment 11 by jarin@chromium.org, Jun 9 2016

Comment 11 Deleted

Sign in to add a comment