Issue metadata
Sign in to add a comment
|
V8 Crash - unable to find pc offset during deoptimization |
||||||||||||||||||||||
Issue descriptionWindows 10 30f577b8cd883fbdf8c278a5534ff578e0ab8f1a Wed Jun 29 21:04:35 2016 -0700 Chrome x86 Debug builds crash pretty consistently on http://news.bbc.co.uk/ Debug info: Stacktrace (fefefefe-fefefeff) 3EAAC339 3AFCB7D1: ==== JS stack trace ========================================= Security context: 35072B2D <String[18]: http://www.bbc.com> 2: /* anonymous */ [/* anonymous */:1] [pc=3A6796A9](this=38E987F5 <JS Global Object>#0#) 3: Pa [/* anonymous */:1] [pc=3A679589](this=38E987F5 <JS Global Object>#0#,a=3D290325 <a Ma with map 38DBFE21>#1#,b=38E5617D <String[21]: osd_listener::message>,c=38AC7895 <JS Function (SharedFunctionInfo 3AFCEEBD)>#2#) 4: /* anonymous */ [/* anonymous */:1] [pc=3A66AE46](this=38E987F5 <JS Global Object>#0#) 5: arguments adaptor frame: 1->0 ==== Details ================================================ [2]: /* anonymous */ [/* anonymous */:1] [pc=3A6796A9](this=38E987F5 <JS Global Object>#0#) { // expression stack (top to bottom) [02] : 38AC77E5 <a MessageEvent with map 38DA8A31>#3# [01] : 38E987F5 <JS Global Object>#0# [00] : 35F94BDD <JS Function apply (SharedFunctionInfo 32B4F22D)>#4# --------- s o u r c e c o d e --------- function (){return b.apply(void 0,d)} ----------------------------------------- } [3]: Pa [/* anonymous */:1] [pc=3A679589](this=38E987F5 <JS Global Object>#0#,a=3D290325 <a Ma with map 38DBFE21>#1#,b=38E5617D <String[21]: osd_listener::message>,c=38AC7895 <JS Function (SharedFunctionInfo 3AFCEEBD)>#2#) { // stack-allocated locals var d = 32B081F1 <undefined> var e = 32B081F1 <undefined> var f = 32B081F1 <undefined> // expression stack (top to bottom) [06] : 38E987F5 <JS Global Object>#0# [05] : 38AC7895 <JS Function (SharedFunctionInfo 3AFCEEBD)>#2# [04] : 3D269641 <FixedArray[143]>#5# [03] : 3D269641 <FixedArray[143]>#5# --------- s o u r c e c o d e --------- function Pa(a,b,c){var d;try{d=c()}catch(g){var e=a.i;try{var f=Oa(g),e=a.J.call(a,b,f,void 0,void 0)}catch(h){a.s("pAR",h)}if(!e)throw g;}finally{}return d} ----------------------------------------- } [4]: /* anonymous */ [/* anonymous */:1] [pc=3A66AE46](this=38E987F5 <JS Global Object>#0#) { // stack-allocated locals var arguments = 38AC7815 <an Arguments with map 38D1CFA5>#6# var e = 1 // heap-allocated locals var d = 38AC7835 <JS Array[1]>#7# // expression stack (top to bottom) [06] : 38AC7895 <JS Function (SharedFunctionInfo 3AFCEEBD)>#2# [05] : 38E5617D <String[21]: osd_listener::message> [04] : 3D290325 <a Ma with map 38DBFE21>#1# [03] : 38E987F5 <JS Global Object>#0# [02] : 3D269DC1 <JS Function Pa (SharedFunctionInfo 3AFC9C55)>#8# --------- s o u r c e c o d e --------- function (){for(var d=[],e=0;e<arguments.length;++e)d[e]=arguments[e];return Pa(c,a,function(){return b.apply(void 0,d)})} ----------------------------------------- } [5]: arguments adaptor frame: 1->0 { // actual arguments [00] : 38AC77E5 <a MessageEvent with map 38DA8A31>#3# // not passed to callee } ==== Key ============================================ #0# 38E987F5: 38E987F5 <JS Global Object> #1# 3D290325: 3D290325 <a Ma with map 38DBFE21> u: 3D2B11C9 <JS Object>#9# K: 36A4B58D <String[7]: jserror> i: 32B08251 <true> j: 32B08101 <null> A: 32B08141 <false> #2# 38AC7895: 38AC7895 <JS Function (SharedFunctionInfo 3AFCEEBD)> #3# 38AC77E5: 38AC77E5 <a MessageEvent with map 38DA8A31> #4# 35F94BDD: 35F94BDD <JS Function apply (SharedFunctionInfo 32B4F22D)> #5# 3D269641: 3D269641 <FixedArray[143]> 0: 3D2A7835 <JS Function (SharedFunctionInfo 3AFC8461)>#10# 1: 35F8D685 <FixedArray[183]>#11# 3: 35F8D685 <FixedArray[183]>#11# 4: 38E987F5 <JS Global Object>#0# 5: 3D22E7F9 <JS Function aa (SharedFunctionInfo 3AFC860D)>#12# 6: 3D22DC31 <JS Function l (SharedFunctionInfo 3AFC8689)>#13# 7: 3D2A7859 <JS Function ba (SharedFunctionInfo 3AFC8705)>#14# 8: 35F943B1 <JS Function now (SharedFunctionInfo 32B4FE75)>#15# 9: 3D2A787D <JS Function ca (SharedFunctionInfo 3AFC8879)>#16# (1ac0.1be0): Access violation - code c0000005 (first chance) 7:045> .lastevent Last event: 1ac0.1be0: Access violation - code c0000005 (first chance) debugger time: Thu Jun 30 13:38:30.973 2016 (UTC - 7:00) 7:045> r eax=00000000 ebx=3afcb7d1 ecx=b1c40af0 edx=00000000 esi=0000191f edi=3eaac339 eip=00000000 esp=0116523c ebp=0116d258 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 00000000 ?? ??? 7:045> kn200 # ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 00 01165238 1142dfad 0x0 01 0116523c 11165db7 v8!v8::base::OS::Abort+0xd 02 0116d258 1105ffe0 v8!v8::internal::Isolate::PushStackTraceAndDie+0x87 03 0116d314 111e260a v8!v8::internal::Deoptimizer::GetOutputInfo+0x130 04 0116d32c 10e47396 v8!v8::internal::SharedFunctionInfo::VerifyBailoutId+0x3a 05 0116d350 10e481aa v8!v8::internal::compiler::AstGraphBuilder::PrepareEagerCheckpoint+0x66 06 0116d370 10e4c6de v8!v8::internal::compiler::AstGraphBuilder::AstTestContext::ProduceValue+0xaa 07 (Inline) -------- v8!v8::internal::compiler::AstGraphBuilder::AstContext::ReplaceValue+0xf 08 0116d394 10e4a896 v8!v8::internal::compiler::AstGraphBuilder::VisitComma+0x5e 09 0116d3b8 10f26aa2 v8!v8::internal::compiler::AstGraphBuilder::VisitBinaryOperation+0x136 0a 0116d3cc 10e4f228 v8!v8::internal::compiler::`anonymous namespace'::AstGraphBuilderWithPositions::VisitBinaryOperation+0x22 0b (Inline) -------- v8!v8::internal::compiler::AstGraphBuilder::Visit+0x3e 0c 0116d400 10e4a788 v8!v8::internal::compiler::AstGraphBuilder::VisitLogicalExpression+0x158 0d 0116d424 10f26aa2 v8!v8::internal::compiler::AstGraphBuilder::VisitBinaryOperation+0x28 0e 0116d438 10e4e7a7 v8!v8::internal::compiler::`anonymous namespace'::AstGraphBuilderWithPositions::VisitBinaryOperation+0x22 0f 0116d464 10e4ec3d v8!v8::internal::compiler::AstGraphBuilder::VisitForTest+0xf7 10 0116d488 10f26ef2 v8!v8::internal::compiler::AstGraphBuilder::VisitIfStatement+0x2d 11 0116d49c 10e49050 v8!v8::internal::compiler::`anonymous namespace'::AstGraphBuilderWithPositions::VisitIfStatement+0x22 12 0116d4ac 10da2ccf v8!v8::internal::compiler::AstGraphBuilder::Visit+0x30 13 0116d4c8 10e4a99f v8!v8::internal::AstVisitor::VisitStatements+0x3f 14 0116d514 10f26ad2 v8!v8::internal::compiler::AstGraphBuilder::VisitBlock+0xff 15 0116d528 10e4ec7e v8!v8::internal::compiler::`anonymous namespace'::AstGraphBuilderWithPositions::VisitBlock+0x22 16 (Inline) -------- v8!v8::internal::compiler::AstGraphBuilder::Visit+0x26 17 0116d54c 10f26ef2 v8!v8::internal::compiler::AstGraphBuilder::VisitIfStatement+0x6e 18 0116d560 10e49050 v8!v8::internal::compiler::`anonymous namespace'::AstGraphBuilderWithPositions::VisitIfStatement+0x22 19 0116d570 10da2ccf v8!v8::internal::compiler::AstGraphBuilder::Visit+0x30 1a 0116d58c 10e45545 v8!v8::internal::AstVisitor::VisitStatements+0x3f 1b 0116d5ac 10e4529b v8!v8::internal::compiler::AstGraphBuilder::CreateGraphBody+0x115 1c 0116d650 10f24de6 v8!v8::internal::compiler::AstGraphBuilder::CreateGraph+0x1fb 1d (Inline) -------- v8!v8::internal::compiler::`anonymous-namespace'::AstGraphBuilderWithPositions::CreateGraph+0x2c 1e 0116d758 10f22227 v8!v8::internal::compiler::GraphBuilderPhase::Run+0xa6 1f (Inline) -------- v8!v8::internal::compiler::PipelineImpl::Run+0x36 20 0116d8c0 10f22acb v8!v8::internal::compiler::PipelineImpl::CreateGraph+0x207 21 0116d8d8 10e33f84 v8!v8::internal::compiler::PipelineCompilationJob::CreateGraphImpl+0x10b 22 0116d9a4 10e36434 v8!v8::internal::CompilationJob::CreateGraph+0x224 23 0116da14 10e3614c v8!v8::internal::`anonymous namespace'::GetOptimizedCodeLater+0x194 24 0116dac4 10e332a9 v8!v8::internal::`anonymous namespace'::GetOptimizedCode+0x3ac 25 0116dbe0 11280a2c v8!v8::internal::Compiler::CompileOptimized+0x99 26 0116dc14 1127f104 v8!v8::internal::__RT_impl_Runtime_CompileOptimized_Concurrent+0x16c 27 0116dc30 3380a0de v8!v8::internal::Runtime_CompileOptimized_Concurrent+0x64 28 0116dc54 338399df 0x3380a0de 29 0116dc74 3a6796a9 0x338399df 2a 0116dc90 3a679589 0x3a6796a9 2b 0116dcbc 3a66ae46 0x3a679589 2c 0116dce8 3380b5f6 0x3a66ae46 2d 0116dd00 3383979e 0x3380b5f6 2e 0116dd1c 33824623 0x3383979e 2f 0116dd48 1107e35b 0x33824623 30 0116ddb8 1107db7e v8!v8::internal::`anonymous namespace'::Invoke+0x19b 31 0116de00 10d6857e v8!v8::internal::Execution::Call+0x1ee 32 0116de9c 17bbe756 v8!v8::Function::Call+0x28e 33 0116df04 17af7805 blink_core!blink::V8ScriptRunner::callFunction+0x2a6 34 0116df2c 17af77c9 blink_core!blink::ScriptController::callFunction+0x25 35 0116df5c 17b75955 blink_core!blink::ScriptController::callFunction+0x59 36 0116e04c 17b67c13 blink_core!blink::V8EventListener::callListenerFunction+0x3a5 37 0116e0d8 17b67995 blink_core!blink::V8AbstractEventListener::invokeEventHandler+0x113 38 0116e110 17b678ec blink_core!blink::V8AbstractEventListener::handleEvent+0x95 39 0116e138 1817cf28 blink_core!blink::V8AbstractEventListener::handleEvent+0xdc 3a 0116e1ec 1817d248 blink_core!blink::EventTarget::fireEventListeners+0x488 3b 0116e398 1817c7e7 blink_core!blink::EventTarget::fireEventListeners+0x1f8 3c 0116e3ac 1817c6b2 blink_core!blink::EventTarget::dispatchEventInternal+0x37 3d 0116e3bc 18733677 blink_core!blink::EventTarget::dispatchEvent+0x22 3e 0116e41c 18737103 blink_core!blink::LocalDOMWindow::dispatchMessageEventWithOriginCheck+0x197 3f 0116e4e4 18734a53 blink_core!blink::LocalDOMWindow::postMessageTimerFired+0x1f3 40 0116e504 1348af27 blink_core!blink::PostMessageTimer::fired+0x63 41 0116e608 1348acb8 blink_platform!blink::TimerBase::runInternal+0x247 42 0116e614 162c514c blink_platform!blink::TimerBase::CancellableTimerTask::run+0x28 43 0116e620 162c45af scheduler!scheduler::WebTaskRunnerImpl::runTask+0x1c 44 0116e630 162c4533 scheduler!base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>::Run<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > >+0x1f 45 0116e63c 162c4609 scheduler!base::internal::InvokeHelper<0,void>::MakeItSo<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)> const &,std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > >+0x23 46 0116e650 162c4c04 scheduler!base::internal::Invoker<base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void __cdecl(void)>::RunImpl<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)> const &,std::tuple<base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > > const &,0>+0x39 47 0116e66c 1003cc8e scheduler!base::internal::Invoker<base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,base::internal::PassedWrapper<std::unique_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void __cdecl(void)>::Run+0x24 48 0116e680 1006b634 base!base::Callback<void __cdecl(void),1>::Run+0x1e 49 0116e700 1629c200 base!base::debug::TaskAnnotator::RunTask+0x144 4a 0116e8b8 1629aeb8 scheduler!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x3c0 4b 0116ea24 16292b63 scheduler!scheduler::TaskQueueManager::DoWork+0x258 4c 0116ea40 16292ade scheduler!base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>::Run<base::WeakPtr<scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>+0x43 4d 0116ea54 16292bf2 scheduler!base::internal::InvokeHelper<1,void>::MakeItSo<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> const &,base::WeakPtr<scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>+0x4e 4e 0116ea6c 1629c8a4 scheduler!base::internal::Invoker<base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks &,bool>,void __cdecl(void)>::RunImpl<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)> const &,std::tuple<base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks,bool> const &,0,1,2>+0x72 4f 0116ea88 1003cc8e scheduler!base::internal::Invoker<base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks &,bool>,void __cdecl(void)>::Run+0x24 50 0116ea9c 1006b634 base!base::Callback<void __cdecl(void),1>::Run+0x1e 51 0116eb1c 100d9770 base!base::debug::TaskAnnotator::RunTask+0x144 52 0116ed04 100d750d base!base::MessageLoop::RunTask+0x280 53 0116ed14 100d7903 base!base::MessageLoop::DeferOrRunPendingTask+0x2d 54 0116ed70 100df959 base!base::MessageLoop::DoDelayedWork+0x123 55 0116ee8c 100d94b1 base!base::MessagePumpDefault::Run+0xe9 56 0116ef64 10180674 base!base::MessageLoop::RunHandler+0xc1 57 0116ef8c 100d93ac base!base::RunLoop::Run+0x34 58 0116f070 0d0f3bd5 base!base::MessageLoop::Run+0xbc 59 0116f1c0 0d540097 content!content::RendererMain+0x345 5a 0116f28c 0d53ff58 content!content::RunNamedProcessTypeMain+0x87 5b 0116f45c 0d53df44 content!content::ContentMainRunnerImpl::Run+0x1e8 5c 0116f480 03fa5fe8 content!content::ContentMain+0x64 5d 0116f4c4 004417e4 chrome_3ed0000!ChromeMain+0x68 5e 0116f5d0 0043d5d5 chrome!MainDllLoader::Launch+0x394 5f 0116f7e4 006d72de chrome!wWinMain+0x275 60 0116f7fc 006d712a chrome!invoke_main+0x1e 61 0116f854 006d6fbd chrome!__scrt_common_main_seh+0x15a 62 0116f85c 006d72f8 chrome!__scrt_common_main+0xd 63 0116f864 759238f4 chrome!wWinMainCRTStartup+0x8 64 0116f878 77365de3 KERNEL32!BaseThreadInitThunk+0x24 65 0116f8c0 77365dae ntdll!__RtlUserThreadStart+0x2f 66 0116f8d0 00000000 ntdll!_RtlUserThreadStart+0x1b
,
Jul 1 2016
,
Jul 1 2016
,
Jul 1 2016
This is the verification I added to eager checkpoints.
,
Jul 1 2016
Working on a fix. Simple repro:
function f(a,b,c,d,e) {
if (a && (b, c ? d() : e())) return 0;
}
f();
f();
%OptimizeFunctionOnNextCall(f);
f();
,
Jul 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/920bc17c97676a238ce079ac569a827b64fcd817 commit 920bc17c97676a238ce079ac569a827b64fcd817 Author: mstarzinger <mstarzinger@chromium.org> Date: Fri Jul 01 09:50:36 2016 [turbofan] Fix eager bailout point after comma expression. This ensures no eager bailout point is emitted after a comma expression in test context where the right-hand side omitted an eager bailout point as well. This is to stay in sync with full-codegen. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-624919 BUG= chromium:624919 Review-Url: https://codereview.chromium.org/2113893004 Cr-Commit-Position: refs/heads/master@{#37475} [modify] https://crrev.com/920bc17c97676a238ce079ac569a827b64fcd817/src/compiler/ast-graph-builder.cc [add] https://crrev.com/920bc17c97676a238ce079ac569a827b64fcd817/test/mjsunit/regress/regress-crbug-624919.js
,
Jul 1 2016
Fixed. Thanks for the detailed report! |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by robliao@chromium.org
, Jun 30 2016