Issue 753932 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	ahaas@chromium.org
Closed:	Aug 20
Cc:	leszeks@chromium.org cbruni@chromium.org mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
Hotlist-Recharge-Cold

Chromium crash at DCHECK in v8/src/objects/shared-function-info-inl.h

Project Member Reported by l...@chromium.org, Aug 9 2017

Issue description

Build chromium TOT

What steps will reproduce the problem?
  (1) Build chromium TOT with dcheck_always_on = true and is_debug = false
  (2) Open chromium, open websites like cnn.com
  (3) wait and observer, chromium will crash at DCHECK in v8/src/objects/shared-function-info-inl.h

What is the expected result?

  chromium should not crash

What happens instead?

  chromium crash


The stack trace is:

# Fatal error in ../../v8/src/objects/shared-function-info-inl.h, line 155
# Debug check failed: index <= Context::LAST_FUNCTION_MAP_INDEX (153 vs. 145).
#
#0 0x562bd84cda27 base::debug::StackTrace::StackTrace()
#1 0x562bda948fd5 gin::(anonymous namespace)::PrintStackTrace()
#2 0x562bda80e94d V8_Fatal()
#3 0x562bd7a6f819 v8::internal::Factory::NewFunctionFromSharedFunctionInfo()
#4 0x562bd76ce322 v8::UnboundScript::BindToCurrentContext()
#5 0x562bd76d1bf5 v8::ScriptCompiler::Compile()
#6 0x562bdbe76fa9 blink::(anonymous namespace)::CompileAndConsumeCache()
#7 0x562bdbe775c1 _ZN4base8internal13FunctorTraitsIPFN2v810MaybeLocalINS2_6ScriptEEEPN5blink21CachedMetadataHandlerEN3WTF10PassRefPtrINS6_14CachedMetadataEEENS2_14ScriptCompiler14CompileOptionsEPNS2_7IsolateENS2_5LocalINS2_6StringEEENS2_12ScriptOriginEEvE6InvokeIJRKNS6_10PersistentIS7_EEPSB_RKSE_SG_SJ_SK_EEES5_SM_DpOT_
#8 0x562bdbe77533 _ZN4base8internal7InvokerINS0_9BindStateIPFN2v810MaybeLocalINS3_6ScriptEEEPN5blink21CachedMetadataHandlerEN3WTF10PassRefPtrINS7_14CachedMetadataEEENS3_14ScriptCompiler14CompileOptionsEPNS3_7IsolateENS3_5LocalINS3_6StringEEENS3_12ScriptOriginEEJNS7_10PersistentIS8_EENSA_6RefPtrISC_EESF_EEEFS6_SH_SK_SL_EE3RunEPNS0_13BindStateBaseEOSH_OSK_OSL_
#9 0x562bdbe734d7 blink::V8ScriptRunner::CompileScript()
#10 0x562bdbe72e26 blink::V8ScriptRunner::CompileScript()
#11 0x562bdbe5874c blink::ScriptController::ExecuteScriptAndReturnValue()
#12 0x562bdbe591a8 blink::ScriptController::EvaluateScriptInMainWorld()
#13 0x562bdbe592c8 blink::ScriptController::ExecuteScriptInMainWorld()
#14 0x562bdcf0aad5 blink::ScriptLoader::DoExecuteScript()
#15 0x562bdcf0a807 blink::ScriptLoader::ExecuteScriptBlock()
#16 0x562bdc57345b blink::(anonymous namespace)::DoExecuteScript()
#17 0x562bdc5732fb blink::HTMLParserScriptRunner::ExecutePendingScriptAndDispatchEvent()
#18 0x562bdc574979 blink::HTMLParserScriptRunner::ExecuteParsingBlockingScripts()
#19 0x562bdc574c77 blink::HTMLParserScriptRunner::ExecuteScriptsWaitingForLoad()
#20 0x562bdc56d791 blink::HTMLDocumentParser::NotifyScriptLoaded()
#21 0x562bdc573c3d blink::HTMLParserScriptRunner::PendingScriptFinished()
#22 0x562bdc276761 blink::ClassicPendingScript::AdvanceReadyState()
#23 0x562bdc276499 blink::ClassicPendingScript::FinishWaitingForStreaming()
#24 0x562bdc27628a blink::ClassicPendingScript::StreamingFinished()
#25 0x562bdbe608f2 blink::ScriptStreamer::NotifyFinishedToClient()
#26 0x562bdbe60073 blink::ScriptStreamer::NotifyFinished()
#27 0x562bdc276839 blink::ClassicPendingScript::NotifyFinished()
#28 0x562bd7fe20b7 blink::Resource::CheckNotify()
#29 0x562bd7fe33c1 blink::Resource::Finish()
#30 0x562bd7ff55b0 blink::ResourceFetcher::HandleLoaderFinish()
#31 0x562bdbdfbc2a content::WebURLLoaderImpl::Context::OnCompletedRequest()
#32 0x562bda7d41a6 content::ResourceDispatcher::OnRequestComplete()
#33 0x562bd6a0b33c content::ThrottlingURLLoader::OnComplete()
#34 0x562bd6824d79 content::mojom::URLLoaderClientStubDispatch::Accept()
#35 0x562bd903f1ef mojo::InterfaceEndpointClient::HandleValidatedMessage()
#36 0x562bd9053986 mojo::FilterChain::Accept()
#37 0x562bd90404fc mojo::InterfaceEndpointClient::HandleIncomingMessage()
#38 0x562bd90482d2 mojo::internal::MultiplexRouter::ProcessIncomingMessage()
#39 0x562bd9047a35 mojo::internal::MultiplexRouter::Accept()
#40 0x562bd9053986 mojo::FilterChain::Accept()
#41 0x562bd903e181 mojo::Connector::ReadSingleMessage()
#42 0x562bd903eba2 mojo::Connector::ReadAllAvailableMessages()
#43 0x562bd903ea1c mojo::Connector::OnHandleReadyInternal()
#44 0x562bd6bfd820 mojo::SimpleWatcher::DiscardReadyState()
#45 0x562bd9056252 mojo::SimpleWatcher::OnHandleReady()
#46 0x562bd9056718 _ZN4base8internal7InvokerINS0_9BindStateIMN4mojo13SimpleWatcherEFvijRKNS3_18HandleSignalsStateEEJNS_7WeakPtrIS4_EEijS5_EEEFvvEE7RunImplIRKS9_RKNSt3__15tupleIJSB_ijS5_EEEJLm0ELm1ELm2ELm3EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#47 0x562bd84ce15b base::debug::TaskAnnotator::RunTask()
#48 0x562bd801d978 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#49 0x562bd801b584 blink::scheduler::TaskQueueManager::DoWork()
#50 0x562bd6cfc882 _ZN4base8internal7InvokerINS0_9BindStateIMN6policy17AsyncPolicyLoaderEFvbEJNS_7WeakPtrIS4_EEbEEEFvvEE3RunEPNS0_13BindStateBaseE
#51 0x562bd84ce15b base::debug::TaskAnnotator::RunTask()
#52 0x562bd84ee4bd base::MessageLoop::RunTask()
#53 0x562bd84ee7fb base::MessageLoop::DeferOrRunPendingTask()
#54 0x562bd84eeae4 base::MessageLoop::DoWork()
#55 0x562bd84f01c0 base::MessagePumpDefault::Run()
#56 0x562bd84edeca base::MessageLoop::Run()
#57 0x562bd8517697 base::RunLoop::Run()
#58 0x562bdb0f271f content::RendererMain()
#59 0x562bd8129a29 content::RunZygote()
#60 0x562bd812a31a content::RunNamedProcessTypeMain()
#61 0x562bd812ac70 content::ContentMainRunnerImpl::Run()
Received signal 4 ILL_ILLOPN 562bda81051f
Received signal 11 SEGV_MAPERR 003000000020

Comment 1 by hablich@chromium.org, Aug 15 2017

Cc: mstarzinger@chromium.org cbruni@chromium.org
Status: Available (was: Untriaged)

Project Member

Comment 2 by sheriffbot@chromium.org, Aug 16

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by hablich@chromium.org, Aug 20

Status: Available (was: Untriaged)

Comment 4 by cbruni@chromium.org, Aug 20

Cc: leszeks@chromium.org
Owner: ahaas@chromium.org

Crashing on: shared_info->set_language_mode(lit->language_mode());

Assigning over to current stability sherrif.


Given that I see script-streaming on the stack trace this might be a direction to investigate (leszeks@...) where we somehow missed passing along a flag or so?

Comment 5 by leszeks@chromium.org, Aug 20

Language mode is determined solely by the parser, no?

Comment 6 by cbruni@chromium.org, Aug 20

Yes I'd say so as well.

Of course could be that any of the param combinations passed to Context::FunctionMapIndex is wrong. (seems like I touched the call site in question last).

Comment 7 by ahaas@chromium.org, Aug 20

Status: WontFix (was: Available)

This issue does not reproduce anymore.

►

Issue 753932 link

Issue metadata

Chromium crash at DCHECK in v8/src/objects/shared-function-info-inl.h

Issue description

Comment 1 by hablich@chromium.org, Aug 15 2017

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Aug 16

Comment 2 Deleted

Comment 3 by hablich@chromium.org, Aug 20

Comment 3 Deleted

Comment 4 by cbruni@chromium.org, Aug 20

Comment 4 Deleted

Comment 5 by leszeks@chromium.org, Aug 20

Comment 5 Deleted

Comment 6 by cbruni@chromium.org, Aug 20

Comment 6 Deleted

Comment 7 by ahaas@chromium.org, Aug 20

Comment 7 Deleted

Sign in to add a comment