Updates:
Owner: [email protected]
Cc: [email protected]
Comment #4 on issue 1877 by [email protected]: NULL ptr in v8::Value::IsInt32
http://code.google.com/p/v8/issues/detail?id=1877
The bug appears to be in the new optimizations for typed arrays' "set"
methods which Ulan implemented. I don't know how to debug into V8's
generated code, but the best I can tell is that when the Float64Array is
constructed, and we attempt to "copy" from the passed function into the
newly constructed Float64Array, we run the new JavaScript code in
Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustomScript.js which
ends up throwing an exception because window.Int16Array (or Uint8Array,
etc.) has been set to null. The exception thrown at this point confuses V8
(probably because we aren't using a TryCatch in
Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp?) and the
next entry to the VM causes an assertion failure. Here is the stack trace
in gdb:
#0 0x00007f16a0cb2a75 in *__GI_raise (sig=<optimized out>)
at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f16a0cb65c0 in *__GI_abort () at abort.c:92
#2 0x00007f16a9c491d5 in v8::internal::OS::Abort ()
at ../../v8/src/platform-linux.cc:391
#3 0x00007f16a992d61b in V8_Fatal
(file=0x7f16acbe42ba "../../v8/src/api.cc",
line=2790, format=0x7f16acbe2df0 "CHECK(%s) failed")
at ../../v8/src/checks.cc:58
#4 0x00007f16a98fe2ba in CheckHelper (
file=0x7f16acbe42ba "../../v8/src/api.cc", line=2790,
source=0x7f16acbe4ac0 "!(isolate)->external_caught_exception()",
condition=false) at ../../v8/src/checks.h:60
#5 0x00007f16a98eecbb in v8::Object::Get (this=0x7fff142f3868, key=...)
at ../../v8/src/api.cc:2790
#6 0x00007f16ac2a7b28 in WebCore::copyElements (destArray=...,
srcArray=...)
at ../../third_party/WebKit/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.cpp:64
#7 0x00007f16abe48d89 in WebCore::setWebGLArrayHelper<WTF::Float64Array,
WebCore::V8Float64Array> (args=...)
at ../../third_party/WebKit/Source/WebCore/bindings/v8/custom/V8ArrayBufferViewCustom.h:215
#8 0x00007f16abe48124 in WebCore::V8Float64Array::setCallback (args=...)
at ../../third_party/WebKit/Source/WebCore/bindings/v8/custom/V8Float64ArrayCustom.cpp:48
#9 0x00007f16a9929ec7 in v8::internal::HandleApiCallHelper<false>
(args=...,
isolate=0x7f16a7ff7000) at ../../v8/src/builtins.cc:1207
#10 0x00007f16a9924c33 in v8::internal::Builtin_Impl_HandleApiCall
(args=...,
isolate=0x7f16a7ff7000) at ../../v8/src/builtins.cc:1224
#11 0x00007f16a9924c04 in v8::internal::Builtin_HandleApiCall (args=...,
isolate=0x7f16a7ff7000) at ../../v8/src/builtins.cc:1223
#12 0x00001b972430420e in ?? ()
#13 0x00001b9724304181 in ?? ()
#14 0x00007fff142f3a10 in ?? ()
...
Ulan, would you be able to take this bug and postulate a fix? Assigning it
to you under the assumption you'll be able to.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
