XFA document crashing in V8 |
|||||||||
Issue descriptionWhen running in XFA mode, the document http://www.cic.gc.ca/english/pdf/kits/forms/IMM5257E.pdf crashes in V8. It seems like the stack trace is getting corrupted as none of the pdfium_test symbols come out and everything after frame 6 is not symbolized. I tracked this back to the V8 roll from Sept 29 (https://codereview.chromium.org/2378663004). pdfium_test crashes on that roll CL, but doesn't crash on the prior version of v8. ==== C stack trace =============================== Development/pdfium/pdfium/out/Debug/pdfium_test() [0xe0fd93] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xe0c13d] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xa381f0] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xa3b39d] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xc1d57a] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xc1d0c7] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xc135f0] Development/pdfium/pdfium/out/Debug/pdfium_test() [0xc131fc] [0x3b597dc843a7] Program received signal SIGILL, Illegal instruction. v8::base::OS::Abort () at ../../v8/src/base/platform/platform-posix.cc:230 230 V8_IMMEDIATE_CRASH(); (gdb) bt #0 v8::base::OS::Abort () at ../../v8/src/base/platform/platform-posix.cc:230 #1 0x0000000000a381f0 in v8::internal::LookupIterator::dictionary_entry (this=<optimized out>) at ../../v8/src/lookup.h:320 #2 0x0000000000a3b39d in v8::internal::LookupIterator::GetPropertyCell (this=0x17be75e <.L.str.9>) at ../../v8/src/lookup.cc:639 #3 0x0000000000c1d57a in v8::internal::(anonymous namespace)::DeclareGlobal (isolate=<optimized out>, global=..., name=..., value=..., attr=v8::internal::DONT_DELETE, is_var=<optimized out>, is_function_declaration=<optimized out>, redeclaration_type=v8::internal::(anonymous namespace)::RedeclarationType::kSyntaxError, feedback_vector=..., slot=...) at ../../v8/src/runtime/runtime-scopes.cc:127 #4 0x0000000000c1d0c7 in v8::internal::(anonymous namespace)::DeclareGlobals (isolate=0x1e898c0, pairs=..., flags=<optimized out>, feedback_vector=...) at ../../v8/src/runtime/runtime-scopes.cc:141 #5 0x0000000000c135f0 in v8::internal::__RT_impl_Runtime_DeclareGlobals (args=..., isolate=0x1e898c0) at ../../v8/src/runtime/runtime-scopes.cc:193 #6 0x0000000000c131fc in v8::internal::Runtime_DeclareGlobals (args_length=3, args_object=<optimized out>, isolate=0x1e898c0) at ../../v8/src/runtime/runtime-scopes.cc:185 #7 0x00003b597dc843a7 in ?? () #8 0x00007fffffffaca0 in ?? () #9 0x00003b597dc842e1 in ?? () #10 0x00007fffffffac20 in ?? () #11 0x0000000300000000 in ?? () #12 0x00007fffffffac78 in ?? () #13 0x00003b597dd86bc1 in ?? () #14 0x00003ce9bd475191 in ?? () #15 0x0000000000000000 in ?? ()
,
Oct 19 2016
,
Oct 19 2016
The stack is not corrupted, it's just that gdb can't unwind V8 jitted frames. There should be some output above the C stack trace that says which DCHECK failed. From looking at the source, it's the DCHECK(has_property_); When I build pdfium, I don't get a pdfium_test, just pdfium_embeddertests :-/ is that target maybe not available in gn? Lei/Dan, could one of you please provide some help with reproducing this? cc ishell who changed the code in frame #3
,
Oct 19 2016
You need to set the following in your gn args to get pdfium_test: pdf_is_standalone = true You can also test in chrome but changing the build_overrides/pdfium.gni setting for pdf_enable_xfa_override to true and rebuilding chrome.
,
Oct 19 2016
actually, that might be due to Franzi's changes. I think what happens is that there's an interceptor on the global object, and for some reason we end up in runtime-scopes.cc:127 while the LookupIterator it is in state INTERCEPTOR and interceptor_mode kProcessNonMasking.
,
Nov 10 2016
,
Nov 10 2016
I hit this too. Let us know how we can help with the repro. I think one can just do: mkdir ~/pdfium cd ~/pdfium fetch pdfium to get a PDFium checkout.
,
Nov 10 2016
And for the GN config, I would recommend: use_goma = true is_debug = true pdf_use_skia = false pdf_enable_xfa = true pdf_enable_v8 = true pdf_is_standalone = true use_sysroot=false is_component_build=false
,
Nov 22 2016
,
Nov 22 2016
,
Nov 22 2016
,
Feb 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0c137304e6e9ff6d6e627260f2877ba1944738c4 commit 0c137304e6e9ff6d6e627260f2877ba1944738c4 Author: franzih <franzih@chromium.org> Date: Wed Feb 08 11:49:58 2017 [runtime] Skip vector config for interceptors. Do not preinitialize the feedback vector slot if the lookup iterator is an interceptor, because it is not guaranteed that the iterator has a PropertyCell. If the HandlerConfiguration has a non-masking intercepting setter, the iterator does not have a valid PropertyCell. BUG= chromium:656648 Review-Url: https://codereview.chromium.org/2674103002 Cr-Commit-Position: refs/heads/master@{#43034} [modify] https://crrev.com/0c137304e6e9ff6d6e627260f2877ba1944738c4/src/runtime/runtime-scopes.cc [modify] https://crrev.com/0c137304e6e9ff6d6e627260f2877ba1944738c4/test/cctest/test-api-interceptors.cc
,
Feb 8 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by dsinclair@chromium.org
, Oct 17 2016