[v8-dev] Issue 3197 in v8: Handle to elements backing-store while being left-trimmed

Tue, 04 Mar 2014 01:27:22 -0800 

Status: Accepted
Owner: [email protected]
CC: [email protected],  [email protected]
Labels: Type-Bug Priority-Medium
New issue 3197 by [email protected]: Handle to elements backing-store while being left-trimmed 
http://code.google.com/p/v8/issues/detail?id=3197
There are some corner-cases where a handle to the elements backing-store of a JSArray that is being left trimmed is still live in some handle-scope. This triggers assertions in debug mode. I wasn't able to find any instance where the handle is still used after it became invalid, so I am not aware of any impact in release mode. 

One repro is worth a thousand words ...

  // Flags: --expose-gc

  function boom(v) {
    this.__proto__ = Array.prototype;
    this.shift();
    gc();
  }

  var p = Object.create([], { "7" : { set:boom } });
  var a = [1];
  a.__proto__ = p;
  a[7] = 23;

This repro causes the following assertion in debug mode ...

#
# Fatal error in ../src/mark-compact.cc, line 2829
# CHECK(heap()->AllowedToBeMigrated(HeapObject::FromAddress(src), dest)) failed 
#

==== C stack trace ===============================

 1: V8_Fatal
2: v8::internal::MarkCompactCollector::MigrateObject(unsigned char*, unsigned char*, int, v8::internal::AllocationSpace) 3: v8::internal::MarkCompactCollector::TryPromoteObject(v8::internal::HeapObject*, int) 4: v8::internal::MarkCompactCollector::DiscoverAndPromoteBlackObjectsOnPage(v8::internal::NewSpace*, v8::internal::NewSpacePage*) 
 5: v8::internal::MarkCompactCollector::EvacuateNewSpace()
 6: v8::internal::MarkCompactCollector::EvacuateNewSpaceAndCandidates()
 7: v8::internal::MarkCompactCollector::SweepSpaces()
 8: v8::internal::MarkCompactCollector::CollectGarbage()
 9: v8::internal::Heap::MarkCompact(v8::internal::GCTracer*)
10: v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*, v8::GCCallbackFlags) 11: v8::internal::Heap::CollectGarbage(v8::internal::GarbageCollector, char const*, char const*, v8::GCCallbackFlags) 12: v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, char const*, v8::GCCallbackFlags) 13: v8::internal::Heap::CollectAllGarbage(int, char const*, v8::GCCallbackFlags) 14: v8::Isolate::RequestGarbageCollectionForTesting(v8::Isolate::GarbageCollectionType) 15: v8::internal::GCExtension::GC(v8::FunctionCallbackInfo<v8::Value> const&) 16: v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) 
17: ??
18: ??
19: ??
20: ??
21: ??
22: ??
23: ??
24: ??
25: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*, bool) 26: v8::internal::JSReceiver::SetPropertyWithDefinedSetter(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::Object>) 27: v8::internal::JSObject::SetElementWithCallback(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, unsigned int, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::StrictModeFlag) 28: v8::internal::JSObject::SetElementWithCallbackSetterInPrototypes(v8::internal::Handle<v8::internal::JSObject>, unsigned int, v8::internal::Handle<v8::internal::Object>, bool*, v8::internal::StrictModeFlag) 29: v8::internal::JSObject::SetFastElement(v8::internal::Handle<v8::internal::JSObject>, unsigned int, v8::internal::Handle<v8::internal::Object>, v8::internal::StrictModeFlag, bool) 30: v8::internal::JSObject::SetElementWithoutInterceptor(v8::internal::Handle<v8::internal::JSObject>, unsigned int, v8::internal::Handle<v8::internal::Object>, PropertyAttributes, v8::internal::StrictModeFlag, bool, v8::internal::SetPropertyMode) 31: v8::internal::JSObject::SetElement(v8::internal::Handle<v8::internal::JSObject>, unsigned int, v8::internal::Handle<v8::internal::Object>, PropertyAttributes, v8::internal::StrictModeFlag, bool, v8::internal::SetPropertyMode) 32: v8::internal::Runtime::SetObjectProperty(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, PropertyAttributes, v8::internal::StrictModeFlag) 33: v8::internal::KeyedStoreIC::Store(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>) 
34: ??
35: v8::internal::KeyedStoreIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*) 
36: ??
37: ??
38: ??
39: ??
40: ??
41: ??
42: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, bool*, bool) 
43: v8::Script::Run()
44: v8::Shell::ExecuteString(v8::Isolate*, v8::Handle<v8::String>, v8::Handle<v8::Value>, bool, bool) 
45: v8::SourceGroup::Execute(v8::Isolate*)
46: v8::Shell::RunMain(v8::Isolate*, int, char**)
47: v8::Shell::Main(int, char**)
48: main
49: __libc_start_main

--
You received this message because this project is configured to send all issue notifications to this address. 
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to