New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 775055 link

Starred by 1 user
Status: Fixed
Owner:
u...@chromium.org
Closed: Oct 2017
Cc:
hablich@chromium.org
hpayer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Debug check failed: FLAG_unbox_double_fields implies map->HasFastPointerLayout()

Project Member Reported by orphis@chromium.org, Oct 16 2017 
Chrome Version: 64.0.3242.0
OS: Linux Ubuntu

What steps will reproduce the problem?
(1) Browse to http://wpt.fyi/mediacapture-streams
(2) Wait for the tab to load, render and trigger the DCHECK

#
# Fatal error in ../../v8/src/heap/concurrent-marking.cc, line 133
# Debug check failed: FLAG_unbox_double_fields implies map->HasFastPointerLayout().
#
#0 0x7fb095e9e7f7 base::debug::StackTrace::StackTrace()
#1 0x7fb0906b47a5 gin::(anonymous namespace)::PrintStackTrace()
#2 0x7fb08572c04c V8_Fatal()
#3 0x7fb08572be32 v8::base::(anonymous namespace)::DefaultDcheckHandler()
#4 0x7fb0900a201a v8::internal::ConcurrentMarkingVisitor::VisitJSApiObject()
#5 0x7fb09009e9d0 v8::internal::ConcurrentMarking::Run()
#6 0x7fb095e9f0a1 base::debug::TaskAnnotator::RunTask()
#7 0x7fb095f3390a base::internal::TaskTracker::RunOrSkipTask()
#8 0x7fb095f344aa base::internal::TaskTrackerPosix::RunOrSkipTask()
#9 0x7fb095f32a98 base::internal::TaskTracker::RunNextTask()
#10 0x7fb095f2b037 base::internal::SchedulerWorker::Thread::ThreadMain()
#11 0x7fb095f3e3fc base::(anonymous namespace)::ThreadFunc()
#12 0x7fb095fdc184 start_thread
#13 0x7fb0892a6ffd clone
Received signal 4 ILL_ILLOPN 7fb08572efcf
Received signal 11 SEGV_MAPERR 003000000020

Comment 1 by hablich@chromium.org, Oct 17 2017

Owner: u...@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by u...@chromium.org, Oct 17 2017

Status: Started (was: Assigned)
Thank you for the report.

Comment 3 by u...@chromium.org, Oct 17 2017

Labels: -Pri-3 M-63 Pri-1
Fix is in flight: https://chromium-review.googlesource.com/c/v8/v8/+/723425
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 17 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fcee0a973fa35e4187e44cad18d64f9ac4c77f10

commit fcee0a973fa35e4187e44cad18d64f9ac4c77f10
Author: Ulan Degenbaev <ulan@chromium.org>
Date: Tue Oct 17 19:44:58 2017

[heap] Avoid concurrently marking through JS API objects.

They can have unboxed double fields and embedder fields.

Bug:  chromium:775055 
Change-Id: Idff67c776cb4209d78006b8f3f8ebc07aa509c42
Reviewed-on: https://chromium-review.googlesource.com/723425
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Hannes Payer <hpayer@chromium.org>
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48655}
[modify] https://crrev.com/fcee0a973fa35e4187e44cad18d64f9ac4c77f10/src/heap/concurrent-marking.cc

Comment 5 by u...@chromium.org, Oct 23 2017

Cc: hablich@chromium.org
Labels: Merge-Request-63 OS-Android OS-Chrome OS-Mac OS-Windows
Requesting merge for #4. It has canary coverage and is low risk.

Comment 6 by cma...@chromium.org, Oct 24 2017 

Is this a regression in M63? Can you add some test along this change to prevent such things from happening again?

Comment 7 by u...@chromium.org, Oct 24 2017 

cmasso@, CL in #4 is a quick fix for merging back that disables optimization.

The proper fix will come with the test (if possible).
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 24 2017

Labels: -Merge-Request-63 Hotlist-Merge-Approved Merge-Approved-63
Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by bugdroid1@chromium.org, Oct 24 2017

Labels: merge-merged-6.3
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4d22b60e76e4ad03001766fe5ffb55a1f091783a

commit 4d22b60e76e4ad03001766fe5ffb55a1f091783a
Author: Ulan Degenbaev <ulan@chromium.org>
Date: Tue Oct 24 14:43:30 2017

Merged: [heap] Avoid concurrently marking through JS API objects.

Revision: fcee0a973fa35e4187e44cad18d6

BUG= chromium:775055 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=mlippautz@chromium.org

Change-Id: I01bf225f6d8f14327d00218ee42768b62474938c
Reviewed-on: https://chromium-review.googlesource.com/735680
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#36}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/4d22b60e76e4ad03001766fe5ffb55a1f091783a/src/heap/concurrent-marking.cc

Comment 10 by gov...@chromium.org, Oct 24 2017

Labels: -Merge-Approved-63
Per comment #9, this is already merged to M63. So removing "Merge-Approved-63" label.

Comment 11 by u...@chromium.org, Oct 25 2017

Status: Fixed (was: Started)

Sign in to add a comment