Status: Accepted
Owner: [email protected]
CC: [email protected], [email protected]
Labels: Type-Bug Priority-Medium
New issue 1346 by [email protected]:
CHECK(target()->is_keyed_load_stub()) at src/ic.h, line 330
http://code.google.com/p/v8/issues/detail?id=1346
Happened on buildbot once, not (easily) reproducible
http://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/1187/steps/Check/logs/stdio
But here is the reconstruction of the crash:
0. We are doing load from an external float array.
1. IC is uninitialized so we enter KeyedLoadIC_Miss, then in
KeyedLoadIC::Load we patch IC with KEYED_EXTERNAL_ARRAY_LOAD_IC stub and
call Runtime::GetObjectProperty.
2. Runtime::GetObjectProperty for external float array has to do HeapNumber
allocation, which fails. Runtime::GetObjectProperty returns failure which
is propagated upwards until it reaces CEntryStub which called
KeyedLoadIC_Miss. CEntryStub does GC and _retries_ with KeyedLoadIC_Miss
(but the IC itself is _already_ patched at this point).
3. KeyedLoadIC_Miss constructs KeyedLoadIC object which checks that IC
target is KEYED_LOAD_IC stub but it is not. It is
KEYED_EXTERNAL_ARRAY_LOAD_IC stub hence assertion failure.
I tried a small experiment with returning artificial failure (see attached
patch) which simulates HeapNumber allocation failure and it triggers the
same assertion but it's hard to construct a testcase that will fail.
Attachments:
artificial-failure.patch 1.0 KB
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
