Filed https://issues.chromium.org/u/1/issues/345640547 so this gets picked up by propert rotations.
When you say "Start thread 2 and call v8Isolate->GetHeapStatistics() periodically.", what's your environment? This is not running in Chrome, right? On Fri, Jun 7, 2024 at 6:22 AM Sam Cao <[email protected]> wrote: > Hi V8 Dev, > > I'd like to report a potential bug in ConcurrentMarking::RunMajor(). > > *Fatal Error* > # > # Fatal error in , line 0 > # Check failed: !IsFreeSpaceOrFillerMap(map). > # > # > # > #FailureMessage Object: 00000083D21FF440 > ==== C stack trace =============================== > CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA557BB+1514667] > (No symbol) [0x00007FFF4A77D497] > (No symbol) [0x00007FFF4A820BBA] > CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AB234A1+2357649] > CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AB3AB62+2453586] > CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA570A6+1521046] > CrashForExceptionInNonABICompliantCodeRange [0x00007FFF4AA5A466+1534294] > > *Reproduce* > > 1. Set max heap size to 8096 > 2. Start thread 1 and execute the following JS code. > var a = []; > for (let i = 0; i < 100000000; i++) { > a.push({test:'test'}); > } > 3. Start thread 2 and call v8Isolate->GetHeapStatistics() periodically. > > There is a high chance that V8 will crash with the fatal error posted > above. > > *Analysis* > I reviewed the source code of 12.5.227.6 and found there is only one call > to IsFreeSpaceOrFillerMap() inside ConcurrentMarking::RunMajor() as follows. > [image: 01.png] > > It seems this check is not always valid when that V8 isolate is busy > allocating memory. It used to be working well before this check was added. > > Please check this issue out. > > Thank you, > Sam > > -- > -- > v8-dev mailing list > [email protected] > http://groups.google.com/group/v8-dev > --- > You received this message because you are subscribed to the Google Groups > "v8-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-dev/73909b1a-6ab5-4014-bdf2-9b2be2a253bdn%40googlegroups.com > <https://groups.google.com/d/msgid/v8-dev/73909b1a-6ab5-4014-bdf2-9b2be2a253bdn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- v8-dev mailing list [email protected] http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/CAH%2BmL5Caw_Qv8a08e9opsjQiT3efdMdOeuLnu4sqDS2OjimD-Q%40mail.gmail.com.
