Failure in v8::Object::SlowGetAlignedPointerFromInternalField
Reported by
ja...@krypton.io,
Nov 1 2016
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36 Steps to reproduce the problem: 1. Set breakpoint during load 2. Debug Tools > Profiles > Take Heap Snapshot 3. Crash What is the expected behavior? Not crashing... What went wrong? Consistently crashes Did this work before? N/A Chrome version: 54.0.2840.71 Channel: stable OS Version: OS X 10.10.5 Flash Version: Shockwave Flash 23.0 r0 This happens consistently every time for me. I know this is not the most useful bug repro as it is bit difficult to narrow down the root cause. If I wait longer into code execution I can take a heap snapshot just fine. This happens when I try to take a snapshot: - During the componentWillMount of the root React component in our app. - There is a rather small memory footprint at this point in time, which is why I'm trying to capture a snapshot before we pull down a bunch of resources from the server. - The snapshot starts and the progress indicator makes me believe it is making progress up until the point where the tab Aww Snaps. Crash ID 0138ea82-239f-4bed-a8e2-7ec16ac2ca95 (Server ID:6dfeae1b00000000)
,
Nov 1 2016
Thread 0 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0xfbadbeef ] MAGIC SIGNATURE THREAD 0x00000001087524d4 (Google Chrome Framework -V8Initializer.cpp:96 ) blink::reportFatalErrorInMainThread(char const*, char const*) 0x0000000104f7716e (Google Chrome Framework -api.cc:337 ) v8::Object::SlowGetAlignedPointerFromInternalField(int) 0x00000001087e17f1 (Google Chrome Framework -v8.h:8284 ) blink::DOMWindowV8Internal::securityCheck(v8::Local<v8::Context>, v8::Local<v8::Object>, v8::Local<v8::Value>) 0x00000001053a1df5 (Google Chrome Framework -isolate.cc:959 ) v8::internal::Isolate::MayAccess(v8::internal::Handle<v8::internal::Context>, v8::internal::Handle<v8::internal::JSObject>) 0x00000001053ddfc9 (Google Chrome Framework -objects.cc:1107 ) v8::internal::JSReceiver::GetDataProperty(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Name>) 0x00000001053eda7e (Google Chrome Framework -objects.cc:2945 ) v8::internal::JSReceiver::GetConstructorName(v8::internal::Handle<v8::internal::JSReceiver>) 0x000000010548c7c4 (Google Chrome Framework -heap-snapshot-generator.cc:1680 ) v8::internal::V8HeapExplorer::GetConstructorName(v8::internal::JSObject*) 0x000000010548bb9f (Google Chrome Framework -heap-snapshot-generator.cc:801 ) v8::internal::V8HeapExplorer::AddEntry(v8::internal::HeapObject*) 0x0000000105498dff (Google Chrome Framework -heap-snapshot-generator.cc:887 ) v8::internal::SnapshotFiller::AddEntry(void*, v8::internal::HeapEntriesAllocator*) 0x0000000105491876 (Google Chrome Framework -heap-snapshot-generator.cc:1686 ) bool v8::internal::V8HeapExplorer::IterateAndExtractSinglePass<&(v8::internal::V8HeapExplorer::ExtractReferencesPass1(int, v8::internal::HeapObject*))>() 0x000000010549160b (Google Chrome Framework -heap-snapshot-generator.cc:1780 ) v8::internal::V8HeapExplorer::IterateAndExtractReferences(v8::internal::SnapshotFiller*) 0x0000000105496011 (Google Chrome Framework -heap-snapshot-generator.cc:2574 ) v8::internal::HeapSnapshotGenerator::GenerateSnapshot() 0x0000000105489aab (Google Chrome Framework -heap-profiler.cc:71 ) v8::internal::HeapProfiler::TakeSnapshot(v8::ActivityControl*, v8::HeapProfiler::ObjectNameResolver*) 0x00000001085a5c36 (Google Chrome Framework -V8HeapProfilerAgentImpl.cpp:227 ) v8_inspector::V8HeapProfilerAgentImpl::takeHeapSnapshot(blink::protocol::String16*, blink::protocol::Maybe<bool> const&) 0x00000001085e79e5 (Google Chrome Framework -HeapProfiler.cpp:296 ) blink::protocol::HeapProfiler::DispatcherImpl::takeHeapSnapshot(int, std::__1::unique_ptr<blink::protocol::DictionaryValue, std::__1::default_delete<blink::protocol::DictionaryValue> >, blink::protocol::ErrorSupport*) 0x00000001085e6cdd (Google Chrome Framework -HeapProfiler.cpp:205 ) blink::protocol::HeapProfiler::DispatcherImpl::dispatch(int, blink::protocol::String16 const&, std::__1::unique_ptr<blink::protocol::DictionaryValue, std::__1::default_delete<blink::protocol::DictionaryValue> >) 0x00000001085d1010 (Google Chrome Framework -InspectorProtocol.cpp:781 ) blink::protocol::UberDispatcher::dispatch(blink::protocol::String16 const&) 0x0000000108f68110 (Google Chrome Framework -InspectorSession.cpp:77 ) blink::InspectorSession::dispatchProtocolMessage(WTF::String const&, WTF::String const&) 0x00000001086cc0a7 (Google Chrome Framework -WebDevToolsAgentImpl.cpp:582 ) blink::WebDevToolsAgentImpl::dispatchOnInspectorBackend(int, int, blink::WebString const&, blink::WebString const&) 0x0000000109754970 (Google Chrome Framework -devtools_agent.cc:275 ) content::DevToolsAgent::OnDispatchOnInspectorBackend(int, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) 0x0000000109754741 (Google Chrome Framework -tuple.h:144 ) bool IPC::MessageT<DevToolsAgentMsg_DispatchOnInspectorBackend_Meta, std::__1::tuple<int, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >, void>::Dispatch<content::DevToolsAgent, content::DevToolsAgent, void, void (content::DevToolsAgent::*)(int, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)>(IPC::Message const*, content::DevToolsAgent*, content::DevToolsAgent*, void*, void (content::DevToolsAgent::*)(int, int, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)) 0x0000000109753e20 (Google Chrome Framework -devtools_agent.cc:108 ) content::DevToolsAgent::OnMessageReceived(IPC::Message const&) 0x00000001097b1d74 (Google Chrome Framework -render_frame_impl.cc:1456 ) content::RenderFrameImpl::OnMessageReceived(IPC::Message const&) 0x000000010714527e (Google Chrome Framework -message_router.cc:52 ) IPC::MessageRouter::RouteMessage(IPC::Message const&) 0x00000001071451db (Google Chrome Framework -message_router.cc:44 ) IPC::MessageRouter::OnMessageReceived(IPC::Message const&) 0x00000001083d0383 (Google Chrome Framework -child_thread_impl.cc:775 ) content::ChildThreadImpl::OnMessageReceived(IPC::Message const&) 0x0000000107132e0a (Google Chrome Framework -ipc_channel_proxy.cc:314 ) IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) 0x000000010608a25a (Google Chrome Framework -callback.h:388 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x000000010854f492 (Google Chrome Framework -task_queue_manager.cc:315 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, blink::scheduler::internal::TaskQueueImpl::Task*) 0x000000010854e31d (Google Chrome Framework -task_queue_manager.cc:218 ) blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) 0x000000010608a25a (Google Chrome Framework -callback.h:388 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x00000001060ac06b (Google Chrome Framework -message_loop.cc:488 ) base::MessageLoop::RunTask(base::PendingTask const&) 0x00000001060ac3ab (Google Chrome Framework -message_loop.cc:497 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) 0x00000001060ac752 (Google Chrome Framework -message_loop.cc:621 ) base::MessageLoop::DoWork() 0x00000001060ae8dc (Google Chrome Framework -message_pump_mac.mm:330 ) base::MessagePumpCFRunLoopBase::RunWork() 0x00000001060a2489 (Google Chrome Framework + 0x018b8489 ) base::mac::CallWithEHFrame(void () block_pointer) 0x00000001060ae2e3 (Google Chrome Framework -message_pump_mac.mm:306 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff8e798a00 (CoreFoundation + 0x00080a00 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff8e78ab8c (CoreFoundation + 0x00072b8c ) __CFRunLoopDoSources0 0x00007fff8e78a1be (CoreFoundation + 0x000721be ) __CFRunLoopRun 0x00007fff8e789bd7 (CoreFoundation + 0x00071bd7 ) CFRunLoopRunSpecific 0x00007fff97d08b28 (Foundation + 0x00090b28 ) -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 0x00000001060aef5d (Google Chrome Framework -message_pump_mac.mm:608 ) base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) 0x00000001060ae733 (Google Chrome Framework -message_pump_mac.mm:238 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x00000001060c9050 (Google Chrome Framework -run_loop.cc:35 ) base::RunLoop::Run() 0x0000000109755d8f (Google Chrome Framework -devtools_agent.cc:63 ) content::(anonymous namespace)::WebKitClientMessageLoopImpl::run() 0x00000001086cda46 (Google Chrome Framework -WebDevToolsAgentImpl.cpp:223 ) blink::ClientMessageLoopAdapter::runLoop(blink::WebLocalFrameImpl*) 0x0000000108590f79 (Google Chrome Framework -V8Debugger.cpp:452 ) v8_inspector::V8Debugger::handleProgramBreak(v8::Local<v8::Context>, v8::Local<v8::Object>, v8::Local<v8::Value>, v8::Local<v8::Array>, bool) 0x000000010859203e (Google Chrome Framework -V8Debugger.cpp:527 ) v8_inspector::V8Debugger::handleV8DebugEvent(v8::Debug::EventDetails const&) 0x0000000105270b6c (Google Chrome Framework -debug.cc:1857 ) v8::internal::Debug::CallEventCallback(v8::DebugEvent, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::Debug::ClientData*) ... 63 more 0x00003c5d80deda53 0x00003c5d80ded55e 0x00003c5d79107e54 0x00003c5d7914a7c2 0x00003c5d7912aa80 0x00000001052b1043 (Google Chrome Framework -execution.cc:141 ) v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) 0x00000001052b0cf8 (Google Chrome Framework -execution.cc:178 ) <name omitted> 0x0000000104f755d8 (Google Chrome Framework -api.cc:4521 ) v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) 0x000000010875d56f (Google Chrome Framework -V8ScriptRunner.cpp:516 ) blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) 0x000000010874c7bf (Google Chrome Framework -V8EventListener.cpp:96 ) blink::V8EventListener::callListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) 0x000000010874594b (Google Chrome Framework -V8AbstractEventListener.cpp:130 ) blink::V8AbstractEventListener::invokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) 0x000000010874581e (Google Chrome Framework -V8AbstractEventListener.cpp:95 ) blink::V8AbstractEventListener::handleEvent(blink::ScriptState*, blink::Event*) 0x000000010874573d (Google Chrome Framework -V8AbstractEventListener.cpp:84 ) blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) 0x0000000108b0ee03 (Google Chrome Framework -EventTarget.cpp:648 ) blink::EventTarget::fireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) 0x0000000108b0e5da (Google Chrome Framework -EventTarget.cpp:541 ) blink::EventTarget::fireEventListeners(blink::Event*) 0x0000000108ec1a9f (Google Chrome Framework -LocalDOMWindow.cpp:1421 ) blink::LocalDOMWindow::dispatchEvent(blink::Event*, blink::EventTarget*) 0x0000000108ec183d (Google Chrome Framework -LocalDOMWindow.cpp:1394 ) blink::LocalDOMWindow::dispatchLoadEvent() 0x0000000108ec1861 (Google Chrome Framework -LocalDOMWindow.cpp:414 ) blink::LocalDOMWindow::documentWasClosed() 0x0000000108a4f31e (Google Chrome Framework -Document.cpp:2624 ) blink::Document::implicitClose() 0x0000000108fa00f4 (Google Chrome Framework -FrameLoader.cpp:636 ) blink::FrameLoader::checkCompleted() 0x0000000108f9ffe2 (Google Chrome Framework -FrameLoader.cpp:554 ) blink::FrameLoader::finishedParsing() 0x0000000108a59012 (Google Chrome Framework -Document.cpp:4823 ) blink::Document::finishedParsing() 0x0000000108c09e98 (Google Chrome Framework -HTMLDocumentParser.cpp:869 ) blink::HTMLDocumentParser::prepareToStopParsing() 0x0000000108c0bdd9 (Google Chrome Framework -HTMLDocumentParser.cpp:524 ) blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) 0x0000000108c0a4ca (Google Chrome Framework -HTMLDocumentParser.cpp:573 ) blink::HTMLDocumentParser::pumpPendingSpeculations() 0x000000010855739b (Google Chrome Framework -bind_internal.h:164 ) base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, void ()>::Run(base::internal::BindStateBase*) 0x000000010608a25a (Google Chrome Framework -callback.h:388 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x000000010854f492 (Google Chrome Framework -task_queue_manager.cc:315 ) blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, blink::scheduler::internal::TaskQueueImpl::Task*) 0x000000010854e31d (Google Chrome Framework -task_queue_manager.cc:218 ) blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) 0x000000010608a25a (Google Chrome Framework -callback.h:388 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) 0x00000001060ac06b (Google Chrome Framework -message_loop.cc:488 ) base::MessageLoop::RunTask(base::PendingTask const&) 0x00000001060ac3ab (Google Chrome Framework -message_loop.cc:497 ) base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) 0x00000001060ac752 (Google Chrome Framework -message_loop.cc:621 ) base::MessageLoop::DoWork() 0x00000001060ae8dc (Google Chrome Framework -message_pump_mac.mm:330 ) base::MessagePumpCFRunLoopBase::RunWork() 0x00000001060a2489 (Google Chrome Framework + 0x018b8489 ) base::mac::CallWithEHFrame(void () block_pointer) 0x00000001060ae2e3 (Google Chrome Framework -message_pump_mac.mm:306 ) base::MessagePumpCFRunLoopBase::RunWorkSource(void*) 0x00007fff8e798a00 (CoreFoundation + 0x00080a00 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x00007fff8e78ab8c (CoreFoundation + 0x00072b8c ) __CFRunLoopDoSources0 0x00007fff8e78a1be (CoreFoundation + 0x000721be ) __CFRunLoopRun 0x00007fff8e789bd7 (CoreFoundation + 0x00071bd7 ) CFRunLoopRunSpecific 0x00007fff97d08b28 (Foundation + 0x00090b28 ) -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 0x00000001060aef5d (Google Chrome Framework -message_pump_mac.mm:608 ) base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) 0x00000001060ae733 (Google Chrome Framework -message_pump_mac.mm:238 ) base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) 0x00000001060c9050 (Google Chrome Framework -run_loop.cc:35 ) base::RunLoop::Run() 0x000000010980cb79 (Google Chrome Framework -renderer_main.cc:198 ) content::RendererMain(content::MainFunctionParams const&) 0x0000000105c2cb89 (Google Chrome Framework -content_main_runner.cc:786 ) content::ContentMainRunnerImpl::Run() 0x0000000105c2bdb5 (Google Chrome Framework -content_main.cc:20 ) content::ContentMain(content::ContentMainParams const&) 0x00000001047ed449 (Google Chrome Framework -chrome_main.cc:85 ) ChromeMain 0x00000001047b3d59 (Google Chrome Helper -chrome_exe_main_mac.c:85 ) main 0x00000001047b3b43 (Google Chrome Helper + 0x00000b43 ) start
,
Nov 2 2016
,
Nov 23 2016
There is bunch of reports with similar symptoms, see e.g. cd2ac9ef00000000 Doesn't seem to be related to heap profiler. Looks more like a corrupt heap. Ulan could you please help to track it down. Thank you.
,
Nov 23 2016
,
Dec 12 2016
jason@, does the crash reproduce with the new chrome 55?
,
Dec 22 2016
Users experienced this crash on the following builds: Mac Canary 57.0.2958.0 - 0.75 CPM, 2 reports, 1 clients (signature v8::Object::SlowGetAlignedPointerFromInternalField) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jan 12 2017
Sorry about the delay. I still see the issue on: Version 55.0.2883.95 (64-bit) Pretty easy for me to trigger reliability. More recent crash report when I tried: 57cfc77b-597c-4dae-ae22-7a39051a7546 (Server ID: c54cf9a480000000)
,
Feb 1 2017
Users experienced this crash on the following builds: Mac Canary 58.0.2999.0 - 1.63 CPM, 1 reports, 1 clients (signature v8::Object::SlowGetAlignedPointerFromInternalField) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Feb 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/39afa5af0682e43a1f1175bc39225168860d556b commit 39afa5af0682e43a1f1175bc39225168860d556b Author: kozyatinskiy <kozyatinskiy@chromium.org> Date: Sat Feb 04 01:21:58 2017 [inspector] fixed taskHeapSnapshot on pause Blink uses access checks to be sure that objects from one context doesn't access objects in another. Heap profiler uses current context to call this checks, we need to be sure that current context is empty to allow heap profiler collect all objects without crash. BUG= chromium:661223 R=alph@chromium.org,ulan@chromium.org Review-Url: https://codereview.chromium.org/2669393002 Cr-Commit-Position: refs/heads/master@{#42939} [modify] https://crrev.com/39afa5af0682e43a1f1175bc39225168860d556b/src/profiler/heap-snapshot-generator.cc [add] https://crrev.com/39afa5af0682e43a1f1175bc39225168860d556b/test/inspector/heap-profiler/take-heap-snapshot-on-pause-expected.txt [add] https://crrev.com/39afa5af0682e43a1f1175bc39225168860d556b/test/inspector/heap-profiler/take-heap-snapshot-on-pause.js [modify] https://crrev.com/39afa5af0682e43a1f1175bc39225168860d556b/test/inspector/inspector-test.cc
,
Feb 12 2017
This crash has high impact on Chrome's stability. Signature: v8::Object::SlowGetAlignedPointerFromInternalField. Channel: canary. Platform: mac. Labeling issue 661223 with ReleaseBlock-Dev. If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Feb 14 2017
The chromecrash has a note: recent spike is rooted to Issue 691269. So removing the release block label.
,
Jul 24 2017
Marking as fixed based on #10 |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by meh...@chromium.org
, Nov 1 2016