Evaluating callback on that stack: 0x5a738dc0
{weakref.node!Nan::imp::FunctionCallbackWrapper(const
v8::FunctionCallbackInfo<v8::Value> &)}
On Tuesday, April 12, 2016 at 7:48:11 PM UTC+2, Jochen Eisinger wrote:
>
> What function is "callback" in the HandleApiCallHelper frame pointing to?
>
> On Tue, Apr 12, 2016, 7:36 PM <[email protected] <javascript:>> wrote:
>
>> I should have mentioned my original bug report against V8:
>> https://bugs.chromium.org/p/v8/issues/detail?id=4830
>>
>> The stacktrace (with node running in debug mode) would be:
>> https://gist.github.com/bpasero/fb5f8a6022b37f7b1a34
>>
>> I am sitting in the Visual Studio debugger right at the FAIL call and can
>> examine the object. Typing "this" just returns that it is a
>> v8::internal::Object with a value of 0x0baffedf {...}
>>
>> Btw I am able to run IsOddball() and that returns false.
>>
>> On Tuesday, April 12, 2016 at 7:31:23 PM UTC+2, Jochen Eisinger wrote:
>>
>>> and the value of "this" when you hit the FATAL()
>>>
>>> On Tue, Apr 12, 2016 at 7:33 PM Jochen Eisinger <[email protected]>
>>> wrote:
>>>
>> Could you post a stack trace that leads to the FATAL()?
>>>>
>>>> On Tue, Apr 12, 2016 at 7:27 PM Ben Noordhuis <[email protected]>
>>>> wrote:
>>>>
>>>>> On Tue, Apr 12, 2016 at 7:11 PM, <[email protected]> wrote:
>>>>> > Hi,
>>>>> >
>>>>> > we (Microsoft VS Code team) are tracking down a very weird native
>>>>> crash in
>>>>> > our use of node.js (5.10.0, V8 46) that only ever shows up since we
>>>>> updated
>>>>> > from node.js 4.x (V8 45). It seems that changes (around the Garbace
>>>>> > Collector?) in V8 46 have an impact to the crash.
>>>>> >
>>>>> > Specifically, we are using the node-weak module
>>>>> > (https://github.com/TooTallNate/node-weak) to be able to get weak
>>>>> references
>>>>> > onto JavaScript objects. This used to work relatively good in
>>>>> node.js 4.x,
>>>>> > but with node.js 5.x we suddenly get the entire node.js program to
>>>>> terminate
>>>>> > with a fatal crash.
>>>>> >
>>>>> > Today we were finally able to track the location of where the crash
>>>>> > originates and it seems to happen when our application simply calls
>>>>> into a
>>>>> > property of the object that is weakly referenced. This call at one
>>>>> point
>>>>> > reaches the following assertion:
>>>>> >
>>>>> > void Object::VerifyApiCallResultType() {
>>>>> > #if DEBUG
>>>>> > if (!(IsSmi() || IsString() || IsSymbol() || IsSpecObject() ||
>>>>> > IsHeapNumber() || IsSimd128Value() || IsUndefined() ||
>>>>> IsTrue() ||
>>>>> > IsFalse() || IsNull())) {
>>>>> > FATAL("API call returned invalid object");
>>>>> > }
>>>>> > #endif // DEBUG
>>>>> > }
>>>>> >
>>>>> >
>>>>> > The process terminates from the FATAL call, as none of the previous
>>>>> checks
>>>>> > in this method hold.
>>>>> >
>>>>> >
>>>>> > Now, the interesting question is: How would it be possible to have a
>>>>> JS
>>>>> > object where calling properties on it would fail in such a fatal
>>>>> way? It
>>>>> > seems to us that the object we are calling a property on is a
>>>>> pointer to a
>>>>> > location in memory where no V8 object exists anymore. It almost
>>>>> seems that
>>>>> > the object was garbage collected (or moved to another address?)
>>>>> without the
>>>>> > JS side (or more specifically the node-weak side) getting to know.
>>>>> >
>>>>> >
>>>>> > Since this only reproduces with using node-weak, it seems very
>>>>> likely that
>>>>> > there is an issue with either node-weak or NAN. In fact, node-weak is
>>>>> > calling into SetWeak()
>>>>> > (
>>>>> https://github.com/TooTallNate/node-weak/blob/master/src/weakref.cc#L174
>>>>> )
>>>>> > and relies on the fact that the callback passed in is triggered and
>>>>> maybe
>>>>> > this callback is not triggered anymore in a sync fashion but rather
>>>>> async?
>>>>> >
>>>>> >
>>>>> > I would appreciate some pointers if there is something that could
>>>>> have
>>>>> > probably changed in V8 46 that could have an impact on this.
>>>>>
>>>>> If you have a simple test case (stress on 'simple'), I'll have a look.
>>>>>
>>>>> --
>>>>> --
>>>>> v8-dev mailing list
>>>>>
>>>> [email protected]
>>>>
>>>>
>>>>> http://groups.google.com/group/v8-dev
>>>>> ---
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "v8-dev" group.
>>>>>
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>
>>>>
>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>
>>>> --
>> --
>> v8-dev mailing list
>> [email protected] <javascript:>
>> http://groups.google.com/group/v8-dev
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "v8-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
