Hi Irina, That comment is out-of-date. I uploaded a CL to fix it: https://chromium-review.googlesource.com/c/v8/v8/+/1722563
This particular usage of SlotSet::Iterate in the scavenger is safe because each scavenging thread has an exclusive access to the slot set that it is iterating. I.e. no other thread accesses the slot set during the iteration. We ensure that by disallowing concurrent sweeping of these pages during iteration: https://chromium-review.googlesource.com/c/v8/v8/+/730603/ > V8 crashes because the slots, retrieved by SlotSet::Iterate, point into ranges that have been already marked as FREE_SPACE_TYPE. This means we have an old-to-new slot recorded for a dead object. I can see a few ways how this can happen: 1) The application writes to a field of a dead object. The object could have died because of a missing write barrier. 2) There is a bug in removing of dead slots in the sweeper: https://cs.chromium.org/chromium/src/v8/src/heap/sweeper.cc?q=sweeper.cc&sq=package:chromium&g=0&l=1 3) There is a race between the store buffer inserting/removing slots and the sweeper removing the slots. Are there any other maps (besides the free space map) around the broken slots? Cheers, Ulan. On Mon, Jul 29, 2019 at 7:36 AM Jakob Gruber <[email protected]> wrote: > > > On Fri, Jul 26, 2019 at 2:53 AM 'Irina Yatsenko' via v8-dev < > [email protected]> wrote: > >> The header comment for v8::internal::*SlotSet::Iterate* says: >> // Iterate over all slots in the set and for each slot invoke the >> callback. >> // If the callback returns REMOVE_SLOT then the slot is removed from >> the set. >> // Returns the new number of slots. >> // This method should only be called on the main thread. >> >> However, we are seeing dumps from crashes in GC with the following >> callstacks on background threads: >> >> 0:*013*> kc00 v8::internal::MemoryChunk::InYoungGeneration01 >> v8::internal::Heap::InYoungGeneration02 >> v8::internal::Scavenger::ScavengeObject<v8::internal::FullHeapObjectSlot>03 >> v8::internal::Scavenger::CheckAndScavengeObject04 >> v8::internal::Scavenger::ScavengePage::<unnamed-tag>::operator()05 >> v8::internal::*SlotSet::Iterate*06 >> v8::internal::RememberedSet<v8::internal::OLD_TO_NEW>::Iterate07 >> v8::internal::Scavenger::ScavengePage08 >> v8::internal::PageScavengingItem::Process09 >> v8::internal::ScavengingTask::RunInParallel >> >> V8 crashes because the slots, retrieved by SlotSet::Iterate, point into >> ranges that have been already marked as FREE_SPACE_TYPE. >> >> Could someone please confirm whether the comment is accurate and could >> explain the crashes? >> >> >> Thanks! >> >> -- >> -- >> v8-dev mailing list >> [email protected] >> http://groups.google.com/group/v8-dev >> --- >> You received this message because you are subscribed to the Google Groups >> "v8-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/v8-dev/22d08655-e425-448d-967f-de20762ad713%40googlegroups.com >> <https://groups.google.com/d/msgid/v8-dev/22d08655-e425-448d-967f-de20762ad713%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CABNJt2JyHdEHdo7WsHQ_3BbhZrv4m9akh2NbXjvfRj2arhnt%2Bg%40mail.gmail.com.
