crash when trace ic stats

[theanarkh]

Version

v19.0.0-pre

Platform

20.3.0 Darwin Kernel Version 20.3.0

Subsystem

trace_events

What steps will reproduce the bug?

const trace_events = require('node:trace_events');
// it works if comment out this line
require('v8');

const tracing = trace_events.createTracing({ categories: ['disabled-by-default-v8.ic_stats'] });

tracing.enable();

function access(obj) {
    obj.a;
}
for (let i = 0; i < 100; i++) {
    access({a: i});
    access({a: String(i)});
}

function f(upperLimit) {
    let sum = 0;
    for (let i = 0; i < upperLimit; i++) {
      sum += i;
    }
    if (sum < 0) throw "argh";
}
  
function measure(f) {
    const start = new Date().valueOf();
    for (let i = 0; i < 10000; i++) {
      f(i * 10);
    }
    const end = new Date().valueOf();
    console.log(end - start);
}
  
measure(f);

How often does it reproduce? Is there a required condition?

always.

What is the expected behavior?

The process exits normally.

What do you see instead?

node was compiled with optimization - stepping may behave oddly; variables may not be available.
* thread #1, stop reason = signal SIGSTOP
  * frame #0: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(v8::internal::Isolate*, unsigned long, v8::internal::Code) [inlined] int std::__1::__cxx_atomic_load<int>(__a=<unavailable>, __order=memory_order_relaxed) at atomic:997:12 [opt]
    frame #1: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(v8::internal::Isolate*, unsigned long, v8::internal::Code) [inlined] std::__1::__atomic_base<int, false>::load(this=<unavailable>, __m=memory_order_relaxed) const volatile at atomic:1603 [opt]
    frame #2: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(v8::internal::Isolate*, unsigned long, v8::internal::Code) [inlined] int std::__1::atomic_load_explicit<int>(__o=<unavailable>, __m=memory_order_relaxed) at atomic:1959 [opt]
    frame #3: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(v8::internal::Isolate*, unsigned long, v8::internal::Code) [inlined] v8::base::Relaxed_Load(ptr=<unavailable>) at atomicops.h:237 [opt]
    frame #4: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(v8::internal::Isolate*, unsigned long, v8::internal::Code) [inlined] v8::internal::Code::is_off_heap_trampoline(this=<unavailable>) const at code-inl.h:1101 [opt]
    frame #5: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(v8::internal::Isolate*, unsigned long, v8::internal::Code) [inlined] v8::internal::Code::InstructionStart(this=<unavailable>, isolate=<unavailable>, pc=<unavailable>) const at code-inl.h:652 [opt]
    frame #6: 0x0000000101fb6d82 node`v8::internal::SafepointTable::SafepointTable(this=0x00007ffeedf6ef88, isolate=0x00007f823654d000, pc=4461753840, code=Code @ 0x00007ffeedf6ef58) at safepoint-table.cc:24 [opt]
    frame #7: 0x000000010202de87 node`v8::internal::TurbofanFrame::FindReturnPCForTrampoline(this=<unavailable>, code=<unavailable>, trampoline_pc=2817) const at frames.cc:2278:18 [opt]
    frame #8: 0x000000010217b920 node`v8::internal::IC::TraceIC(this=<unavailable>, type=<unavailable>, name=<unavailable>, old_state=UNINITIALIZED, new_state=<unavailable>) at ic.cc:165:35 [opt]
    frame #9: 0x000000010217d2f6 node`v8::internal::LoadIC::UpdateCaches(this=0x00007ffeedf6f960, lookup=<unavailable>) at ic.cc:0 [opt]
    frame #10: 0x000000010217cdb0 node`v8::internal::LoadIC::Load(this=0x00007ffeedf6f960, object=<unavailable>, name=<unavailable>, update_feedback=<unavailable>, receiver=<unavailable>) at ic.cc:494:7 [opt]
    frame #11: 0x000000010217d45e node`v8::internal::LoadGlobalIC::Load(this=0x00007ffeedf6f960, name=<unavailable>, update_feedback=<unavailable>) at ic.cc:572:18 [opt]
    frame #12: 0x000000010218563a node`v8::internal::Runtime_LoadGlobalIC_Miss(int, unsigned long*, v8::internal::Isolate*) at ic.cc:2780:3 [opt]
    frame #13: 0x0000000102185487 node`v8::internal::Runtime_LoadGlobalIC_Miss(args_length=<unavailable>, args_object=0x00007ffeedf6faa0, isolate=0x00007f823654d000) at ic.cc:2755 [opt]
    frame #14: 0x0000000102932b79 node`Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit + 57
    frame #15: 0x0000000109f0f5f0
    frame #16: 0x0000000109f0ceeb
    frame #17: 0x00000001028b1bdc node`Builtins_InterpreterEntryTrampoline + 220
    frame #18: 0x00000001028b1bdc node`Builtins_InterpreterEntryTrampoline + 220
    frame #19: 0x00000001028b1bdc node`Builtins_InterpreterEntryTrampoline + 220
    frame #20: 0x00000001028b1bdc node`Builtins_InterpreterEntryTrampoline + 220
    frame #21: 0x00000001028b1bdc node`Builtins_InterpreterEntryTrampoline + 220
    frame #22: 0x00000001028b1bdc node`Builtins_InterpreterEntryTrampoline + 220
    frame #23: 0x00000001028b035c node`Builtins_JSEntryTrampoline + 92
    frame #24: 0x00000001028b0083 node`Builtins_JSEntry + 131
    frame #25: 0x0000000102024308 node`v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [inlined] v8::internal::GeneratedCode<unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, long, unsigned long**>::Call(this=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>) at simulator.h:155:12 [opt]
    frame #26: 0x0000000102024306 node`v8::internal::(anonymous namespace)::Invoke(isolate=0x00007f823654d000, params=<unavailable>)::InvokeParams const&) at execution.cc:427 [opt]
    frame #27: 0x0000000102023695 node`v8::internal::Execution::Call(isolate=0x00007f823654d000, callable=<unavailable>, receiver=<unavailable>, argc=4, argv=0x00007f82366292d0) at execution.cc:527:10 [opt]
    frame #28: 0x0000000101ef6cfd node`v8::Function::Call(this=0x00007f823716a048, context=<unavailable>, recv=<unavailable>, argc=<unavailable>, argv=0x00007f82366292d0) at api.cc:5317:7 [opt]
    frame #29: 0x0000000101d42ca2 node`node::builtins::BuiltinLoader::CompileAndCall(v8::Local<v8::Context>, char const*, node::Realm*) [inlined] node::builtins::BuiltinLoader::CompileAndCall(context=(val_ = 0x00007f823719ac80), id=<unavailable>, argc=4, argv=0x00007f82366292d0, optional_env=<unavailable>) at node_builtins.cc:502:14 [opt]
    frame #30: 0x0000000101d42c83 node`node::builtins::BuiltinLoader::CompileAndCall(context=(val_ = 0x00007f823719ac80), id=<unavailable>, realm=0x00007f8236627120) at node_builtins.cc:485 [opt]
    frame #31: 0x0000000101dd81ff node`node::Realm::ExecuteBootstrapper(this=0x00007f8236627120, id=<unavailable>) at node_realm.cc:168:30 [opt]
    frame #32: 0x0000000101d25176 node`node::StartExecution(env=0x00007f823780ec00, cb=<unavailable>)>) at node.cc:0 [opt]
    frame #33: 0x0000000101c9697d node`node::LoadEnvironment(env=0x00007f823780ec00, cb=<unavailable>)>) at environment.cc:437:10 [opt]
    frame #34: 0x0000000101da2752 node`node::NodeMainInstance::Run() [inlined] node::NodeMainInstance::Run(this=<unavailable>, exit_code=<unavailable>, env=0x00007f823780ec00) at node_main_instance.cc:138:5 [opt]
    frame #35: 0x0000000101da2734 node`node::NodeMainInstance::Run(this=<unavailable>) at node_main_instance.cc:132 [opt]
    frame #36: 0x0000000101d27c64 node`node::LoadSnapshotDataAndRun(snapshot_data_ptr=<unavailable>, result=<unavailable>) at node.cc:1169:29 [opt]
    frame #37: 0x0000000101d27ee4 node`node::Start(int, char**) [inlined] node::StartInternal(argc=<unavailable>, argv=0x00007f82364266a0) at node.cc:1215:10 [opt]
    frame #38: 0x0000000101d27cb4 node`node::Start(argc=<unavailable>, argv=<unavailable>) at node.cc:1219 [opt]
    frame #39: 0x00007fff2050d621 libdyld.dylib`start + 1

Additional information

No response

[juanarbol]

Same thing for Node v16.x

[thoqbk]

@theanarkh @juanarbol can I give this a try?

[bnoordhuis]

It's a V8 issue. Don't know why @theanarkh reported it here but this is the wrong bug tracker for it.

[thoqbk]

It's a V8 issue. Don't know why @theanarkh reported it here but this is the wrong bug tracker for it.

@bnoordhuis is it still worth working on this?

[bnoordhuis]

I'm sure upstream V8 would accept a fix so you can still work on it, you just need to send your changes upstream. We can cherry-pick the commit into node once it's been merged.

I'll go ahead and close out the issue because it isn't actionable right now but let me know if you still have questions.