New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 698431 link

Starred by 1 user
Status: WontFix
Owner:
kozyatinskiy@chromium.org
Last visit > 30 days ago
Closed: Mar 2017
Cc:
yangguo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

v8: coverage crashes

Project Member Reported by caseq@chromium.org, Mar 4 2017 
Chrome Version: ToT (92feb33d4dfa486c134e10cec36ff8b85e31d3aa)

What steps will reproduce the problem?
(1) Open DevTools on new tab page
(2) Start and stop coverage
(3) The inspected renderer crashes.

#
# Fatal error in ../../v8/src/api.cc, line 9376
# Check failed: column_number >= 0.
#

Stack trace:

#0  v8::base::OS::Abort () at ../../v8/src/base/platform/platform-posix.cc:253
#1  0x00007f549f59512c in OpenHandle (that=<optimized out>, allow_empty_handle=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at ../../v8/src/api.h:345
#2  v8::debug::Coverage::FunctionData::FunctionData (this=0x7f549ff9940a, function=0x24a0, script=...) at ../../v8/src/api.cc:9560
#3  0x00007f549f595286 in v8::debug::Coverage::ScriptData::GetFunctionData (this=<optimized out>, i=<optimized out>) at ../../v8/src/api.cc:9587
#4  0x00007f549ff80e62 in v8_inspector::(anonymous namespace)::takeCoverage (isolate=<optimized out>, reset_count=<optimized out>, out_result=0x7ffdac48d9d0)
    at ../../v8/src/inspector/v8-profiler-agent-impl.cc:305

(gdb) fr 4
#4  0x00007f549ff80e62 in v8_inspector::(anonymous namespace)::takeCoverage (isolate=<optimized out>, 
    reset_count=<optimized out>, out_result=0x7ffdac48d9d0)
    at ../../v8/src/inspector/v8-profiler-agent-impl.cc:305
305               script_data.GetFunctionData(j);


(gdb) p (*script_data.script_.script.location_)->Print()
0x12b3fe53acf1: [Script]
 - source: 0x2b79cc9ae281 <String[48]\: (function(event){google.aft&&google.aft(this)\n})>
 - name: 0x1dc0e881d869 <String[54]: https://www.google.com/_/chrome/newtab?espv=2&ie=UTF-8>
 - line_offset: 0
 - column_offset: -17
 - type: 2
 - id: 38
 - context data: 1
 - wrapper: 0x18153a502311 <undefined>
 - compilation type: 1
 - line ends: 0x1176dc420a79 <FixedArray[2]>
 - eval from shared: 0x18153a507d39 <SharedFunctionInfo>
 - eval from position: 0
 - shared function infos: 0x2b79cc9ae2c9 <FixedArray[2]>

The negative offset comes from:
[...]
#5 0x7f7482b31e2e v8::internal::Compiler::GetFunctionFromEval()
#6 0x7f748296c4b2 v8::ScriptCompiler::CompileFunctionInContext()
#7 0x7f74777cef63 blink::V8LazyEventListener::compileScript()
#8 0x7f74777ce397 blink::V8LazyEventListener::getListenerObjectInternal()
#9 0x7f747776024f blink::V8AbstractEventListener::getListenerObject()
#10 0x7f74777cdce5 blink::V8LazyEventListener::callListenerFunction()
#11 0x7f7477799a96 blink::V8AbstractEventListener::invokeEventHandler()
#12 0x7f74777997ff blink::V8AbstractEventListener::handleEvent()
#13 0x7f7477799609 blink::V8AbstractEventListener::handleEvent()
#14 0x7f74780364e9 blink::EventTarget::fireEventListeners()
#15 0x7f747803571b blink::EventTarget::fireEventListeners()
#16 0x7f7477daa232 blink::Node::handleLocalEvents()
#17 0x7f747804569f blink::NodeEventContext::handleLocalEvents()
#18 0x7f7478019842 blink::EventDispatcher::dispatchEventAtTarget()
#19 0x7f7478018b72 blink::EventDispatcher::dispatch()
#20 0x7f7478017b91 blink::EventDispatchMediator::dispatchEvent()
#21 0x7f7478017f7a blink::EventDispatcher::dispatchEvent()
#22 0x7f7477daa2c4 blink::Node::dispatchEventInternal()
#23 0x7f74780353bc blink::EventTarget::dispatchEvent()
#24 0x7f74781fa9fa blink::HTMLImageLoader::dispatchLoadEvent()
#25 0x7f74788d7478 blink::ImageLoader::dispatchPendingLoadEvent()
#26 0x7f74788d7392 blink::ImageLoader::dispatchPendingEvent()
#27 0x7f74788d85a1 blink::EventSender<>::dispatchPendingEvents()
#28 0x7f74788d9079 blink::EventSender<>::timerFired()
#29 0x7f747776a751 blink::TaskRunnerTimer<>::fired()
#30 0x7f74819f35bd blink::TimerBase::runInternal()

Comment 1 by kozyatinskiy@chromium.org, Mar 4 2017

Cc: -kozyatinskiy@chromium.org yangguo@chromium.org
Owner: kozyatinskiy@chromium.org
Blink is bad, V8 is good.

#4 0x7fe817d376d2 v8::base::OS::Abort()
#5 0x7fe82076cf6d v8::internal::Compiler::GetFunctionFromEval()
#6 0x7fe8205a74b1 v8::ScriptCompiler::CompileFunctionInContext()
#7 0x7fe815404aec blink::V8LazyEventListener::compileScript()
#8 0x7fe815403fc7 blink::V8LazyEventListener::getListenerObjectInternal()
#9 0x7fe815395e9f blink::V8AbstractEventListener::getListenerObject()
#10 0x7fe815403915 blink::V8LazyEventListener::callListenerFunction()
#11 0x7fe8153cf6c6 blink::V8AbstractEventListener::invokeEventHandler()
#12 0x7fe8153cf42f blink::V8AbstractEventListener::handleEvent()
#13 0x7fe8153cf239 blink::V8AbstractEventListener::handleEvent()
#14 0x7fe815c6b779 blink::EventTarget::fireEventListeners()
#15 0x7fe815c6a9ab blink::EventTarget::fireEventListeners()
#16 0x7fe8159df532 blink::Node::handleLocalEvents()
#17 0x7fe815c7a92f blink::NodeEventContext::handleLocalEvents()
#18 0x7fe815c4ead2 blink::EventDispatcher::dispatchEventAtTarget()
#19 0x7fe815c4de02 blink::EventDispatcher::dispatch()
#20 0x7fe815c4ce21 blink::EventDispatchMediator::dispatchEvent()
#21 0x7fe815c4d20a blink::EventDispatcher::dispatchEvent()
#22 0x7fe8159df5c4 blink::Node::dispatchEventInternal()
#23 0x7fe815c6a64c blink::EventTarget::dispatchEvent()
#24 0x7fe815e2fc8a blink::HTMLImageLoader::dispatchLoadEvent()

I'm still debugging this to find actual root..

Comment 2 by kozyatinskiy@chromium.org, Mar 4 2017 

Ok, friday is not good day for debugging, but the root of this is line [1]
https://cs.chromium.org/chromium/src/v8/src/api.cc?rcl=c9b4087f4a00632b7133c491addac7272d45cbef&l=2334

We generate something like (function(..) { .. actual inline event listener code .. }) to build function for V8LazyEventListener to still correctly show location of errors in html source we pass this magic negative column_offset for generated anonymous function otherwise V8 will return location in function and with embedder column_offset we would be off by length of (function(..) { length.

We need this fake function additionally to expose it with element.onevent getter in runtime..

Comment 3 by kozyatinskiy@chromium.org, Mar 4 2017 

I think we can remove CHECK which produces crash and investigate in better solution. It looks like we can introduce some additional debugger hint for script object, which will contain V8 generated offset.

Yang, WDYT?

Comment 4 by yangguo@chromium.org, Mar 4 2017 

I think the hint we need is already there: the column offset is negative. I suggest we just set the start at column 0.

But given the proposed change of the coverage format to use source offset instead of line/column this issue will disappear anyways.

Comment 5 by kozyatinskiy@chromium.org, Mar 17 2017

Status: WontFix (was: Assigned)
Method was migrated to offsets, so not an issue.

Sign in to add a comment