Updates:
Owner: [email protected]
Cc: [email protected]
Comment #3 on issue 1615 by [email protected]: M15 top renderer crash:
v8::internal::StaticMarkingVisitor::VisitPointers
http://code.google.com/p/v8/issues/detail?id=1615
I have looked at some dumps. There is a pretty consistent pattern there: we
are traversing FixedArray and encounter a pointer that is heap object
tagged but points _into_ some other heap object (instead of pointing at
it's start). Pointer seems to be off by a multiple of 4. Some of this "off
by X" events can be interpreted as "1bit" corruptions, but not all of them.
I have seen:
- (6 crash dumps) a string object (I have seen ASCII symbol, externalized
ascii symbol, seq ascii string) [pointer seems to be off by 8 or 4 (8 was
more common among the dumps I've looked at)]; Heap::mc_count_ is not zero.
- (1 crash dump) map for jsobject instance type. Pointer is off by 16
bytes. Heap::mc_count_ is zero. This case is extremely suspicious cause map
space contains only maps -> all maps are aligned by a multiple of map size.
I will continue the investigation.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
