V8 Fatal Exception, 0x99b617 #11977
Comments
|
Do you have a simple example to reproduce the crash? /cc @nodejs/v8 |
|
Additionally, you may want to file an issue over at https://bugs.chromium.org/p/v8/. |
|
@mscdex I could probably come up with a simple use case. I'll file an issue with the v8 folks. This only happens in 6.10.1 as far as I can see (downgrading to 6.9 resolved the issue). |
|
By 6.9 do you mean 6.9.5 or 6.9.0? Also, does 6.10.0 exhibit the same problem? |
|
FWIW These V8-related PRs were merged in v6.10.0:
These V8-related PRs were merged in v6.10.1: |
|
6.10.0 does no exhibit the same problem. 6.9.0 and 6.9.5 also do not exhibit the same problem. I have a reproducible test case, but I need to streamline it to just the minimum elements. This looks to be isolated to 6.10.1. In the v8 issue, the chromium team stated that the version of v8 used by 6.10.1 is no longer supported, and this issue is not present in later version of v8. |
|
@duereg if you could include a way of reproducing that would be helpful. Also which version of Linux? |
|
If you're feeling adventurous, you could try reverting each of those 3 V8-related commits, one at a time, and see which one is causing the problem. |
|
I have a way of reproducing - I can reproduce it locally on my Mac, as well on our CI environment, which is: Platform: Linux, version 4.4.27 So I believe it might be platform agnostic. |
|
@duereg cheers. FWIW, it should be just |
|
If you want to test reverting one of the V8 commits, just checkout the v6.10.1 tag, then The commits to try reverting for #9293 are: |
|
@mscdex reverting 3ab070d resolved the issue. |
|
/cc @targos ^ |
|
We just ran into this as well. Upgrading from 6.10.0 to 6.10.1. Downgrading to 6.10.0 fixes the issue |
|
@duereg Did you have a chance to put that gist together? |
|
I ran the oca test with a debug build. here is the stack trace: Fatal error in ../deps/v8/src/ast/ast-numbering.cc, line 368node/deps/v8/src/ast/ast-numbering.cc Line 368 in 6803521 |
|
We probably need v8/v8@a328143e and possibly v8/v8@96220730 too. |
|
@bnoordhuis Those two commits aren't bugfixes so I don't think they are needed to fix this problem. Although they provide an implementation for AstNumberingVisitor::VisitSpread which is where the crash occurs, the idea would be to avoid reaching VisitSpread() in the first place. |
|
Yeah I don't think those will fix the problem. It looks like the crash happens with an array literal spread, not a spread call. |
|
Sorry for the delay on the gist... I was trying to figure out a way to recreate the issue without mocha, but I could not, so I created a simple test suite. https://gist.github.com/duereg/8e398f05e962af0965053d8ddf827165 |
|
@duereg thank you. what is your babel config and version? Edit: I don't know how to reproduce. I tried to install |
|
@targos updated gist with .babelrc |
|
I'm sorry, I still can't reproduce. |
|
Our mocha runner is wrapped in a gulp process. I was hoping to not have to figure that out as well. I'll update the gist to take that into account. |
|
I also cannot get that test case to fail without the gulp runner. The issue seems to lie with the instrumentation code that calculates test coverage, that sits atop of all of this. :/ |
|
@targos updated gist. Download, install, run, everything explodes |
|
Reproducible for me (macOS Sierra): Stack Trace==== C stack trace ===============================
1: V8_Fatal
2: v8::internal::AstNumberingVisitor::VisitSpread(v8::internal::Spread*)
3: v8::internal::AstNumberingVisitor::VisitArrayLiteral(v8::internal::ArrayLiteral*)
4: v8::internal::AstNumberingVisitor::VisitRewritableExpression(v8::internal::RewritableExpression*)
5: v8::internal::AstNumberingVisitor::VisitBinaryOperation(v8::internal::BinaryOperation*)
6: v8::internal::AstNumberingVisitor::VisitConditional(v8::internal::Conditional*)
7: v8::internal::AstNumberingVisitor::VisitObjectLiteral(v8::internal::ObjectLiteral*)
8: v8::internal::AstNumberingVisitor::VisitAssignment(v8::internal::Assignment*)
9: v8::internal::AstNumberingVisitor::VisitExpressionStatement(v8::internal::ExpressionStatement*)
10: v8::internal::AstNumberingVisitor::VisitBlock(v8::internal::Block*)
11: v8::internal::AstNumberingVisitor::Renumber(v8::internal::FunctionLiteral*)
12: v8::internal::AstNumbering::Renumber(v8::internal::Isolate*, v8::internal::Zone*, v8::internal::FunctionLiteral*)
13: v8::internal::Compiler::Analyze(v8::internal::ParseInfo*)
14: v8::internal::(anonymous namespace)::GetUnoptimizedCodeCommon(v8::internal::CompilationInfo*)
15: v8::internal::Compiler::Compile(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Compiler::ClearExceptionFlag)
16: v8::internal::Runtime_CompileLazy(int, v8::internal::Object**, v8::internal::Isolate*)
17: 0x15fb64a092a7
18: 0x15fb64a34338
19: 0x15fb65055791
20: 0x15fb65063a3a
[1] 35429 illegal hardware instruction (core dumped) gulpEDIT: Indeed, it doesn't fail if you take out Istanbul, i.e. with: this diffdiff --git a/gulpfile.babel.js b/gulpfile.babel.js
index d28b64e..0fa981a 100644
--- a/gulpfile.babel.js
+++ b/gulpfile.babel.js
@@ -1,23 +1,12 @@
import gulp from 'gulp';
-import istanbul from 'gulp-istanbul';
import {Instrumenter} from 'isparta';
import mocha from 'gulp-mocha';
function runTestsWithCoverage(cb) {
return gulp.src(['./brokenNodeTest.js'])
- .pipe(istanbul({ // Covering files
- instrumenter: Instrumenter,
- includeUntested: true
- }))
- .pipe(istanbul.hookRequire()) // Force `require` to return covered files
.on('finish', function finish() {
gulp.src(["./brokenNodeTest.spec.js"], {read: false})
.pipe(mocha({reporter: 'spec', timeout: 15000}))
- .pipe(istanbul.writeReports({
- dir: "coverage",
- reportOpts: {dir: "coverage"},
- reporters: ['text', 'text-summary', 'json', 'html']
- }))
.on('end', console.error)
.on('error', console.error);
}); |
|
Thank you. Here is a reduced testcase based on this: 'use strict';
let a = 0;
const DEFAULT_FLAGS = [1];
const query = {
flags: true ? (a++,
[...DEFAULT_FLAGS, 2]) : (a++,
DEFAULT_FLAGS)
}; |
|
Even shorter: (42, [...[0], 1]); |
|
The crash also happens if I build V8 at the commit that I backported. I'm going to bisect. |
Original commit message:
Fix classifier related bug
R=adamk@chromium.org
BUG=chromium:621111
LOG=N
Review-Url: https://codereview.chromium.org/2086513002
Cr-Commit-Position: refs/heads/master@{nodejs#37150}
Fixes: nodejs#11977
Original commit message:
Fix classifier related bug
R=adamk@chromium.org
BUG=chromium:621111
LOG=N
Review-Url: https://codereview.chromium.org/2086513002
Cr-Commit-Position: refs/heads/master@{#37150}
Fixes: #11977
PR-URL: #12037
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Original commit message:
Fix classifier related bug
R=adamk@chromium.org
BUG=chromium:621111
LOG=N
Review-Url: https://codereview.chromium.org/2086513002
Cr-Commit-Position: refs/heads/master@{#37150}
Fixes: #11977
PR-URL: #12037
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Original commit message:
Fix classifier related bug
R=adamk@chromium.org
BUG=chromium:621111
LOG=N
Review-Url: https://codereview.chromium.org/2086513002
Cr-Commit-Position: refs/heads/master@{#37150}
Fixes: #11977
PR-URL: #12037
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
|
@targos has this been resolved in 6.10.2? |
|
@duereg Yes. Thanks for the report! |
|
Fix landed in 52bdb8f |
Version: Node, 6.10.1
Platform: Linux, version 4.4.27
The text was updated successfully, but these errors were encountered: