Status: New
Owner: ----
New issue 1156 by [email protected]: V8 Crash when idling at news.google.com
http://code.google.com/p/v8/issues/detail?id=1156
Detailed description of the issue.
With current top of tree debug Chromium just navigate to http://
news.google.com and leave the window alone for 10 to 30 minutes.
Eventually V8 will assert and kill the renderer process.
The trigger is this assert on line 118 of deoptimizer-ia32.cc in function
void Deoptimizer::DeoptimizeFunction(JSFunction* function).
----snippet----
// Handle the junk part after the new relocation info. We will create
// a non-live object in the extra space at the end of the former reloc
info.
Address junk_address = reloc_info->address() + reloc_info->Size();
ASSERT(junk_address <= reloc_end_address);
--------------
Looking with the debugger showed that junk_address was reloc_end_address +
4 at the time this fired.
Backtrace:
Thread 0 Crashed: CrRendererMain Dispatch queue: com.apple.main-thread
0 libSystem.B.dylib 0x9902f176 __kill + 10
1 libSystem.B.dylib 0x9902f168 kill$UNIX2003 + 32
2 libSystem.B.dylib 0x990c189d raise + 26
3 libSystem.B.dylib 0x990d79bc abort + 93
4 ...chromium.Chromium.framework 0x0187fda5 v8::internal::OS::Abort() +
11
5 ...chromium.Chromium.framework 0x015a2f35 V8_Fatal + 185
6 ...chromium.Chromium.framework 0x018047bb CheckHelper(char const*, int,
char const*, bool) + 74
7 ...chromium.Chromium.framework 0x01807005
v8::internal::Deoptimizer::DeoptimizeFunction(v8::internal::JSFunction*) +
683
8 ...chromium.Chromium.framework 0x015cfac7
v8::internal::DeoptimizingVisitor::VisitFunction(v8::internal::JSFunction*)
+ 17
9 ...chromium.Chromium.framework 0x015ce7fd
v8::internal::Deoptimizer::VisitAllOptimizedFunctionsForContext(v8::internal::Context*,
v8::internal::OptimizedFunctionVisitor*) + 157
10 ...chromium.Chromium.framework 0x015ce8ba
v8::internal::Deoptimizer::VisitAllOptimizedFunctionsForGlobalObject(v8::internal::JSObject*,
v8::internal::OptimizedFunctionVisitor*) + 128
11 ...chromium.Chromium.framework 0x015ce9aa
v8::internal::Deoptimizer::DeoptimizeGlobalObject(v8::internal::JSObject*)
+ 46
12 ...chromium.Chromium.framework 0x01577257
v8::Object::ForceDelete(v8::Handle<v8::Value>) + 185
13 ...chromium.Chromium.framework 0x025bd912
WebCore::V8DOMWindowShell::clearDocumentWrapperCache() + 192
14 ...chromium.Chromium.framework 0x025be7c5
WebCore::V8DOMWindowShell::clearForNavigation() + 93
15 ...chromium.Chromium.framework 0x025d1bd4
WebCore::V8Proxy::clearForNavigation() + 36
16 ...chromium.Chromium.framework 0x025a52c8
WebCore::ScriptController::clearWindowShell(bool) + 34
17 ...chromium.Chromium.framework 0x028e8de3
WebCore::FrameLoader::clear(bool, bool, bool) + 353
18 ...chromium.Chromium.framework 0x028dc77e
WebCore::DocumentWriter::begin(WebCore::KURL const&, bool,
WebCore::SecurityOrigin*) + 382
19 ...chromium.Chromium.framework 0x028e89ed
WebCore::FrameLoader::receivedFirstData() + 73
20 ...chromium.Chromium.framework 0x028e8c80
WebCore::FrameLoader::willSetEncoding() + 40
21 ...chromium.Chromium.framework 0x028dbd0d
WebCore::DocumentWriter::setEncoding(WTF::String const&, bool) + 33
22 ...chromium.Chromium.framework 0x028d0e9c
WebCore::DocumentLoader::commitData(char const*, int) + 128
23 ...chromium.Chromium.framework 0x0205a9f4
WebKit::WebFrameImpl::commitDocumentData(char const*, unsigned long) + 56
24 ...chromium.Chromium.framework 0x0201e3c0
WebKit::FrameLoaderClientImpl::committedLoad(WebCore::DocumentLoader*, char
const*, int) + 176
25 ...chromium.Chromium.framework 0x028d0fdf
WebCore::DocumentLoader::commitLoad(char const*, int) + 105
26 ...chromium.Chromium.framework 0x028d1038
WebCore::DocumentLoader::receivedData(char const*, int) + 76
27 ...chromium.Chromium.framework 0x028ffa60
WebCore::MainResourceLoader::addData(char const*, int, bool) + 80
28 ...chromium.Chromium.framework 0x0290a971
WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool)
+ 83
29 ...chromium.Chromium.framework 0x028ff087
WebCore::MainResourceLoader::didReceiveData(char const*, int, long long,
bool) + 401
30 ...chromium.Chromium.framework 0x0290a114
WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char
const*, int, int) + 108
31 ...chromium.Chromium.framework 0x02037580
WebCore::ResourceHandleInternal::didReceiveData(WebKit::WebURLLoader*, char
const*, int) + 220
32 ...chromium.Chromium.framework 0x01b401af
webkit_glue::WebURLLoaderImpl::Context::OnReceivedData(char const*, int) +
225
33 ...chromium.Chromium.framework 0x001307ad
ResourceDispatcher::OnReceivedData(IPC::Message const&, int,
base::FileDescriptor, int) + 485
34 ...chromium.Chromium.framework 0x00134919 bool
IPC::MessageWithTuple<Tuple3<int, base::FileDescriptor, int>
::Dispatch<ResourceDispatcher, ResourceDispatcher, int,
base::FileDescriptor, int>(IPC::Message const*, ResourceDispatcher*,
ResourceDispatcher*, void (ResourceDispatcher::*)(IPC::Message const&, int,
base::FileDescriptor, int)) + 142
35 ...chromium.Chromium.framework 0x0012f9af
ResourceDispatcher::DispatchMessage(IPC::Message const&) + 617
36 ...chromium.Chromium.framework 0x00130c0c
ResourceDispatcher::OnMessageReceived(IPC::Message const&) + 724
37 ...chromium.Chromium.framework 0x0016a1f2
ChildThread::OnMessageReceived(IPC::Message const&) + 44
38 ...chromium.Chromium.framework 0x019f7d52
IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) + 144
39 ...chromium.Chromium.framework 0x019f8da2 void
DispatchToMethod<IPC::ChannelProxy::Context, void
(IPC::ChannelProxy::Context::*)(IPC::Message const&),
IPC::Message>(IPC::ChannelProxy::Context*, void
(IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message>
const&) + 63
40 ...chromium.Chromium.framework 0x019f8ddd
RunnableMethod<IPC::ChannelProxy::Context, void
(IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message>
::Run() + 57
41 ...chromium.Chromium.framework 0x00e10d7d MessageLoop::RunTask(Task*) +
303
42 ...chromium.Chromium.framework 0x00e10f07
MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 53
43 ...chromium.Chromium.framework 0x00e1177f MessageLoop::DoWork() + 253
44 ...chromium.Chromium.framework 0x00ddc172
base::MessagePumpCFRunLoopBase::RunWork() + 74
45 ...chromium.Chromium.framework 0x00ddc1b7
base::MessagePumpCFRunLoopBase::RunWorkSource(void*) + 23
46 com.apple.CoreFoundation 0x9025b4cb __CFRunLoopDoSources0 + 1563
47 com.apple.CoreFoundation 0x90258f8f __CFRunLoopRun + 1071
48 com.apple.CoreFoundation 0x90258464 CFRunLoopRunSpecific + 452
49 com.apple.CoreFoundation 0x90258291 CFRunLoopRunInMode + 97
50 com.apple.HIToolbox 0x94da3004 RunCurrentEventLoopInMode +
392
51 com.apple.HIToolbox 0x94da2dbb ReceiveNextEventCommon + 354
52 com.apple.HIToolbox 0x94da2c40
BlockUntilNextEventMatchingListInMode + 81
53 com.apple.AppKit 0x90c8b78d _DPSNextEvent + 847
54 com.apple.AppKit 0x90c8afce -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] + 156
55 com.apple.AppKit 0x90c4d247 -[NSApplication run] + 821
56 ...chromium.Chromium.framework 0x00ddbcce
base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 100
57 ...chromium.Chromium.framework 0x00ddc2a3
base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 175
58 ...chromium.Chromium.framework 0x00e11a6a MessageLoop::RunInternal() +
188
59 ...chromium.Chromium.framework 0x00e11a85 MessageLoop::RunHandler() +
17
60 ...chromium.Chromium.framework 0x00e11ae9 MessageLoop::Run() + 35
61 ...chromium.Chromium.framework 0x00d276c0
RendererMain(MainFunctionParams const&) + 1936
62 ...chromium.Chromium.framework 0x000085da (anonymous
namespace)::RunNamedProcessTypeMain(std::string const&, MainFunctionParams
const&) + 78 (chrome_main.cc:622)
63 ...chromium.Chromium.framework 0x000083bb ChromeMain + 3929
(chrome_main.cc:950)
64 org.chromium.Chromium.helper 0x00001f52 main + 24
(chrome_exe_main_mac.mm:16)
65 org.chromium.Chromium.helper 0x00001f0e start + 54
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
