-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segmentation fault in node v5.* #5900
Comments
I can reproduce a segfault with just Requires several runs, though. It doesn't use any modules or Node.js API, except for the console. Most probably this is a v8 issue. @icefapper could you try to produce a smaller testcase? |
Thanks for such a quick reply! Regards, |
@icefapper I've done some initial cleanup in https://github.com/ChALkeR/lubejs/blob/master/lubelean.js. |
WoW! I just did some leaning myself; I confess though, it is by no means leaner than yours : |
Stack trace:
|
@ofrobots sorry for asking a newbieish thing, but, could i ask what it means and how you acquird it? thanks a lot |
@icefapper I got this stack trace by running node inside a debugger (e.g |
EDIT: v8 print is not to be trusted. |
I performed a bit more cleanup, the result is at https://github.com/ChALkeR/lubejs |
@ChALkeR thanks! I can reproduce the crash with vanilla d8; replacing |
@ChALkeR funny, I thought the segv error is due to the stack getting repeatedly pushd and popd as the precedences fluctuated (in prseNonSeqExpr); you've proven me wrong :) |
laugh at me, but aside from the prevalent 139 i frequently got, there was also a 132 error (i.e, "invalid instruction") occasionally showing up, this time coupled with a core dump, and "slice" was always the first frame that appeard in the dump; now i'm not telling the slice is the culprit, but it just makes me quite suspicious about it |
Very curious. I see a bunch of @icefapper I haven't been able to reproduce the invalid instruction crashes. That is interesting. These kinds of symptoms would indicate a memory-corruption type failure to me. If you do have those core dumps still available, I would be interested in know about what is in memory around the instruction the processor was trying to execute. I can give you the commands to run to get this data. |
On a debug build, the GC zaps garbage memory blocks with I can reproduce this with V8 4.5 (Node 4) as well. |
@ofrobots, I reproduced the invalid instruction crash. But it happened only once out of many runs. |
@ChALkeR If you still have a debugger active, or have a core-dump, could you print some instructions around the crash point? Running |
Opened V8 issue here: https://bugs.chromium.org/p/v8/issues/detail?id=4871 |
will try my best to reproduce the inv-instr error. Also, thanks for confirming it's not a bug on my side. i was literally on the verge of a nervous breakdown. |
@ofrobots Sorry, I don't have that now. Perhaps running the original testcase overnight would help? |
The testcase is under 100 lines now. |
@ofrobots @ChALkeR First I thought it might be that V8 does not like a function returning an object (silly, I cede, but experience has taught me that silly does not mean impossible.) I guess I was wrong there ; reason? take a look at this excellently leand testcase. Try fiddling with the object lterals that contain a 'loc:' by changing its value to {}, or by eliminating it altogether (there are only four of them I guess). I will try to share some of the variations that make the SIGSEGV disappear. I was so giddy finding out about it that I did not remember to save my findings :\ My take is that it has something to do with the convoluted way V8 might be handling the so-calld "hidden classes". As to why only 'loc' gets affected, I have no idea. |
Yes, I noticed that, too. It's not as trivial, though. Only one place counts (take a look at my testcase — it has the call to Also notice how my testcase redefines The same about re-assigning |
@ofrobots Update the testcase, please. It looks like the new one fails more often (and doesn't require the |
Looks like the vm is gc'ing |
further evidence for it : https://gist.github.com/icefapper/ee8e346c5eead603c855 |
@icefapper Change it to |
Thanks ; could I ask the precise location to apply the change? |
@icefapper both of the lines you changed =) |
@ChALkeR |
v8 issue is fixed, is this still reproducable? |
The v8 issue is fixed, and afaik it landed in Node.js. Closing. Feel free to comment and/or reopen =). |
This is part 1/2 of the fixes from v8:4871. This fixes a segfault in verify-heap. Original commit message: [crankshaft] Write fillers for folded old space allocations during verify-heap If we don't write fillers, we crash during PagedSpace verification when we try to iterate over dead memory (unused folded allocation slots). BUG=v8:4871,chromium:580959 LOG=N Review URL: https://codereview.chromium.org/1837163002 Cr-Commit-Position: refs/heads/master@{#35097} Fixes: nodejs#5900 V8-Bug: https://bugs.chromium.org/p/v8/issues/detail?id=4871
This is part 2/2 of the fixes needed for v8:4871. This fix never landed upstream because the bug is not present in active V8 version. The patch is available from the upstream v8 bug however. The segfault occurs at the intersection of the following three conditions that are dependent on the allocation pattern of an application: A pretenured (1) allocation site has to be optimized into a merged allocation by the allocation folding optimization (2) and there needs to be overflow of the store buffer (3). This patch disables the allocation folding optimization for pretenured allocations. This may have some, hopefully negligible, performance impact on real world applications. Fixes: nodejs#5900
The problem still exist on on |
@ofrobots Edit: ah, I see the PR for 4.x. |
Yes, I opened the PR for I am not sure there is enough runway left on |
This is part 1/2 of the fixes from v8:4871. This fixes a segfault in verify-heap. Original commit message: [crankshaft] Write fillers for folded old space allocations during verify-heap If we don't write fillers, we crash during PagedSpace verification when we try to iterate over dead memory (unused folded allocation slots). BUG=v8:4871,chromium:580959 LOG=N Review URL: https://codereview.chromium.org/1837163002 Cr-Commit-Position: refs/heads/master@{#35097} Fixes: #5900 V8-Bug: https://bugs.chromium.org/p/v8/issues/detail?id=4871 PR-URL: #7303 Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
This is part 2/2 of the fixes needed for v8:4871. This fix never landed upstream because the bug is not present in active V8 version. The patch is available from the upstream v8 bug however. The segfault occurs at the intersection of the following three conditions that are dependent on the allocation pattern of an application: A pretenured (1) allocation site has to be optimized into a merged allocation by the allocation folding optimization (2) and there needs to be overflow of the store buffer (3). This patch disables the allocation folding optimization for pretenured allocations. This may have some, hopefully negligible, performance impact on real world applications. Fixes: #5900 PR-URL: #7303 Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
This is part 1/2 of the fixes from v8:4871. This fixes a segfault in verify-heap. Original commit message: [crankshaft] Write fillers for folded old space allocations during verify-heap If we don't write fillers, we crash during PagedSpace verification when we try to iterate over dead memory (unused folded allocation slots). BUG=v8:4871,chromium:580959 LOG=N Review URL: https://codereview.chromium.org/1837163002 Cr-Commit-Position: refs/heads/master@{#35097} Fixes: #5900 V8-Bug: https://bugs.chromium.org/p/v8/issues/detail?id=4871 PR-URL: #7303 Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
This is part 2/2 of the fixes needed for v8:4871. This fix never landed upstream because the bug is not present in active V8 version. The patch is available from the upstream v8 bug however. The segfault occurs at the intersection of the following three conditions that are dependent on the allocation pattern of an application: A pretenured (1) allocation site has to be optimized into a merged allocation by the allocation folding optimization (2) and there needs to be overflow of the store buffer (3). This patch disables the allocation folding optimization for pretenured allocations. This may have some, hopefully negligible, performance impact on real world applications. Fixes: #5900 PR-URL: #7303 Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
Can we close this? The fix has landed in |
v5 is eol. closing. |
Original commit message: deps: backport e7cc609 from upstream V8 This is part 1/2 of the fixes from v8:4871. This fixes a segfault in verify-heap. Original commit message: [crankshaft] Write fillers for folded old space allocations during verify-heap If we don't write fillers, we crash during PagedSpace verification when we try to iterate over dead memory (unused folded allocation slots). BUG=v8:4871,chromium:580959 LOG=N Review URL: https://codereview.chromium.org/1837163002 Cr-Commit-Position: refs/heads/master@{#35097} Fixes: nodejs/node#5900 V8-Bug: https://bugs.chromium.org/p/v8/issues/detail?id=4871 PR-URL: nodejs/node#7303 Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
Original commit message: deps: fix segfault during gc This is part 2/2 of the fixes needed for v8:4871. This fix never landed upstream because the bug is not present in active V8 version. The patch is available from the upstream v8 bug however. The segfault occurs at the intersection of the following three conditions that are dependent on the allocation pattern of an application: A pretenured (1) allocation site has to be optimized into a merged allocation by the allocation folding optimization (2) and there needs to be overflow of the store buffer (3). This patch disables the allocation folding optimization for pretenured allocations. This may have some, hopefully negligible, performance impact on real world applications. Fixes: nodejs/node#5900 PR-URL: nodejs/node#7303 Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com>
In case anyone was wondering what the fixed versions were I believe this is it:
|
Hello
while fiddling with the toy js parser I have made, i came across weird 139 (that is, Segmentation fault) errors which are driving me nuts. I've pruned every unnecessary part of the parser and looks like i have been able to isolate the error-causing case. i have very little experience using debugging tools to delve in this issue all by myself; i would hence be glad if someone could help me find out what is going on .
the faulty case: https://github.com/icefapper/lubejs
meminfo: https://gist.github.com/icefapper/3081ce0e4f1e8bb17314
my sys is : Linux 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux (specifically it is LM 17.1)
cpuinfo: https://gist.github.com/icefapper/5dc357ab7d751a7ceb86
i have been experiencing it on 5.6.0 and up (i.e, even with the latest stable 5.9.* which i even built from source)
Thanks a lot reading this far, and I hope you could reproduce the error case. Simply run the "run.sh" thing 40-times or so, and the read the "lubelean.log"; please note, though, that the "lubelean.log" already contains the logs I received by running 'run.sh' which means if you need your own logs, you must delete it and then run 'run.sh'.
The text was updated successfully, but these errors were encountered: