Status: New
Owner: ----
New issue 2780 by [email protected]: V8 crashes with
CHECK(object->IsFixedArray()) failed when --track_gc_object_stats enabled
http://code.google.com/p/v8/issues/detail?id=2780
Chromium rev:211370
V8 Version 3.20.4
When running Chrome on Linux with the following flags, V8 will crash with:
CHECK(object->IsFixedArray()) failed
chrome --no-sandbox --enable-stats-table
--js-flags="--track_gc_object_stats"
The stacktrace from GDB looks like:
#0 v8::internal::OS::DebugBreak () at ../../v8/src/platform-linux.cc:417
#1 0x0000555559b34ecd in v8::internal::OS::Abort ()
at ../../v8/src/platform-linux.cc:399
#2 0x00005555597086a9 in V8_Fatal
(file=0x55555cc56542 "../../v8/src/objects-inl.h",
line=2519, format=0x55555cc55f08 "CHECK(%s) failed")
at ../../v8/src/checks.cc:61
#3 0x00005555596c8bab in v8::internal::FixedArray::cast
(object=0x3dfe5bbd3f51)
at ../../v8/src/objects-inl.h:2519
#4 0x00005555598cc002 in
v8::internal::MarkCompactMarkingVisitor::ObjectStatsTracker<(v8::internal::StaticVisitorBase::VisitorId)40>::Visit
(map=0x25ec6d704149,
obj=0x25ec6d704899) at ../../v8/src/mark-compact.cc:1641
#5 0x00005555598cd266 in
v8::internal::StaticMarkingVisitor<v8::internal::MarkCompactMarkingVisitor>::IterateBody
(map=0x25ec6d704149, obj=0x25ec6d704899)
at ../../v8/src/objects-visiting.h:395
#6 0x00005555598c24bf in
v8::internal::MarkCompactCollector::EmptyMarkingDeque (
this=0x7ffff7e6bb50) at ../../v8/src/mark-compact.cc:2114
#7 0x00005555598c27f2 in
v8::internal::MarkCompactCollector::ProcessMarkingDeque (
this=0x7ffff7e6bb50) at ../../v8/src/mark-compact.cc:2175
#8 0x00005555598c1a4b in
v8::internal::MarkCompactCollector::PrepareForCodeFlushing (
this=0x7ffff7e6bb50) at ../../v8/src/mark-compact.cc:1809
#9 0x00005555598c2c30 in
v8::internal::MarkCompactCollector::MarkLiveObjects (
this=0x7ffff7e6bb50) at ../../v8/src/mark-compact.cc:2262
#10 0x00005555598be27a in
v8::internal::MarkCompactCollector::CollectGarbage (
this=0x7ffff7e6bb50) at ../../v8/src/mark-compact.cc:401
#11 0x00005555597c779c in v8::internal::Heap::MarkCompact
(this=0x7ffff7e69030,
tracer=0x7fffd8261b70) at ../../v8/src/heap.cc:1077
#12 0x00005555597c7115 in v8::internal::Heap::PerformGarbageCollection (
this=0x7ffff7e69030, collector=v8::internal::MARK_COMPACTOR,
tracer=0x7fffd8261b70)
at ../../v8/src/heap.cc:940
#13 0x00005555597c6715 in v8::internal::Heap::CollectGarbage
(this=0x7ffff7e69030,
space=v8::internal::OLD_POINTER_SPACE,
collector=v8::internal::MARK_COMPACTOR,
gc_reason=0x55555cc8ad60 "idle notification: contexts disposed",
collector_reason=0x55555cc89037 "GC in old space requested")
at ../../v8/src/heap.cc:688
#14 0x0000555559767264 in v8::internal::Heap::CollectGarbage
(this=0x7ffff7e69030,
space=v8::internal::OLD_POINTER_SPACE,
gc_reason=0x55555cc8ad60 "idle notification: contexts disposed")
at ../../v8/src/heap-inl.h:507
#15 0x00005555597c632e in v8::internal::Heap::CollectAllGarbage
(this=0x7ffff7e69030,
flags=2, gc_reason=0x55555cc8ad60 "idle notification: contexts
disposed")
at ../../v8/src/heap.cc:595
#16 0x00005555597d55f8 in v8::internal::Heap::IdleNotification
(this=0x7ffff7e69030,
hint=1000) at ../../v8/src/heap.cc:5953
#17 0x0000555559a4b31b in v8::internal::V8::IdleNotification (hint=1000)
at ../../v8/src/v8.cc:196
#18 0x00005555596b56e5 in v8::V8::IdleNotification (hint=1000)
at ../../v8/src/api.cc:5411
#19 0x0000555557fc39eb in
WebCore::V8GCForContextDispose::pseudoIdleTimerFired (
this=0x79944d5de30)
at ../../third_party/WebKit/Source/bindings/v8/V8GCForContextDispose.cpp:74
#20 0x0000555557fc3b20 in
WebCore::Timer<WebCore::V8GCForContextDispose>::fired (
this=0x79944d5de30)
at ../../third_party/WebKit/Source/core/platform/Timer.h:115
#21 0x000055555716fd63 in WebCore::ThreadTimers::sharedTimerFiredInternal (
this=0x799443f7020)
at ../../third_party/WebKit/Source/core/platform/ThreadTimers.cpp:134
#22 0x000055555716fc6b in WebCore::ThreadTimers::sharedTimerFired ()
at ../../third_party/WebKit/Source/core/platform/ThreadTimers.cpp:108
#23 0x000055555ae51fbd in webkit_glue::WebKitPlatformSupportImpl::DoTimeout
(
this=0x799441c27a0)
at ../../webkit/glue/webkitplatformsupport_impl.h:142
#24 0x000055555ae52572 in base::internal::RunnableAdapter<void
(webkit_glue::WebKitPlatformSupportImpl::*)()>::Run (this=0x7fffd8261ed0,
object=0x799441c27a0)
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
