We develop Chromium-based product and frequently receive renderer crash 
dumps from our users with segfault in 
function v8::internal::SlotSet::Iterate().
We had this crash in previous versions but it become very frequent in 
version based on Chromium 66.

Crash occurs 
here: https://cs.chromium.org/chromium/src/v8/src/heap/slot-set.h?g=0&l=206
Crashed thread stack: https://pastebin.com/raw/ZDNCfsiX
Main thread stack: https://pastebin.com/raw/G6N40V7w

Also i have done some disassembly and have extracted V8 heap page fragments 
from some of our crash dumps: https://pastebin.com/raw/TdxQEwLB
EBX points to slot with broken pointer (enclosed by parenthesis in memory 
dumps) and crashes were caused by access to memory pointed by this pointer.

Unfortunately, we can't reproduce this crash locally.

Can anyone take a brief look at this heap fragments? Maybe we can extract 
some additional information that can help to understand what's going wrong?
Or maybe there is already known crash with this signature?


Alexander Timokhin,
Yandex LLC.

v8-dev mailing list
You received this message because you are subscribed to the Google Groups 
"v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to