Status: Accepted
Owner: [email protected]
Labels: Type-Bug Priority-Medium
New issue 1675 by erik.corry: Crashes on mail.live.com
http://code.google.com/p/v8/issues/detail?id=1675
Chrome 13 is seeing crashes on *.mail.live.com. This seems to be related
to deoptimization, since the bad pointer is always 0xffffffffbeeddeac, a
variation on 0xbeeddead, a zap value used by the deoptimizer. On Mac this
crash is at around 2% of renderer crashes. On Windows it is rarer and it
is also harder to find since there are a lot of 'bogus' crashes related to
memory corruption.
This issue may have gone away in Chrome14 and newer. I can't find any
reports.
The actual crash is always in a LoadIC:
0cb7d580 00000000: a8 01 test al,0x1
0cb7d582 00000002: 0f 84 11 00 00 00 je 0x19
=>0cb7d588 00000008: 81 78 ff 61 6c fa 06 cmp DWORD PTR
[eax-0x1],0x6fa6c61
0cb7d58f 0000000f: 0f 85 04 00 00 00 jne 0x19
0cb7d595 00000015: 8b 40 0f mov eax,DWORD PTR
[eax+0xf]
0cb7d598 00000018: c3 ret
0cb7d599 00000019: e9 a2 2e 1f 33 jmp 0x331f2ec0
I have not been able to find a minidump where the return address on top of
the stack points to memory that is present in the minidump.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
