Skip to content

Abort during Object.keys after vm.runInContext #22723

New issue
New issue
Closed
Closed
Abort during Object.keys after vm.runInContext#22723
Assignees
TimothyGu
Labels
confirmed-bugIssues with confirmed bugs.v8 engineIssues and PRs related to the V8 dependency.vmIssues and PRs related to the vm subsystem.
@cxreg

Description

@cxreg
cxreg
opened on Sep 6, 2018

This occurs in both master and v10.x-staging but didn't repro in 10.9.0

./node -e 'let test = { not: "empty" }; vm.createContext(test); Object.keys(vm.runInContext("this", test))'


#
# Fatal error in , line 0
# Check failed: element->ToUint32(&number).
#
#
#
#FailureMessage Object: 0x7ffdaccc1b20Illegal instruction

Here's the llnode backtrace:

 * thread #1: tid = 15265, 0x00007fffef24ce49 node`v8::base::OS::Abort() + 9, name = 'node', stop reason = signal SIGILL: illegal instruction operand
  * frame #0: 0x00007fffef24ce49 node`v8::base::OS::Abort() + 9
    frame #1: 0x00007fffef24901a node`V8_Fatal(char const*, int, char const*, ...) + 362
    frame #2: 0x00007fffeeb45ce3 node`v8::internal::(anonymous namespace)::CollectInterceptorKeysInternal(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::InterceptorInfo>, v8::internal::KeyAccumulator*, v8::internal::(anonymous namespace)::IndexedOrNamed) + 1507
    frame #3: 0x00007fffeeb475f1 node`v8::internal::KeyAccumulator::CollectOwnElementIndices(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>) + 305
    frame #4: 0x00007fffeeb489b2 node`v8::internal::KeyAccumulator::CollectOwnKeys(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>) + 274
    frame #5: 0x00007fffeeb496b5 node`v8::internal::KeyAccumulator::CollectKeys(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSReceiver>) + 69
    frame #6: 0x00007fffeeb499e6 node`v8::internal::KeyAccumulator::GetKeys(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::KeyCollectionMode, v8::internal::PropertyFilter, v8::internal::GetKeysConversion, bool, bool) + 166
    frame #7: 0x00007fffeed14d1f node`v8::internal::Runtime_ObjectKeys(int, v8::internal::Object**, v8::internal::Isolate*) + 143
    frame #8: 0x000006d8132dc01d <exit>
    frame #9: 0x000006d81331f255 keys(this=0x00002de71e2045d1:<function: Object at (no script)>, 0x00002a3391b027d9:<Global proxy>) at (no script) fn=0x00002de71e205139
    frame #10: 0x000006d8132918b5 (anonymous)(this=0x00000be72f61a8f1:<Global proxy>) at repl:1:0 fn=0x0000047a28af6aa1
    frame #11: 0x000006d81328ee55 <internal>
    frame #12: 0x000006d813289521 <entry>
    frame #13: 0x00007fffeea0e540 node`v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 272
    frame #14: 0x00007fffee681d28 node`v8::Script::Run(v8::Local<v8::Context>) + 536
    frame #15: 0x00007fffee466ddc node`node::contextify::ContextifyScript::EvalMachine(node::Environment*, long, bool, bool, v8::FunctionCallbackInfo<v8::Value> const&) + 1036
    frame #16: 0x00007fffee467127 node`node::contextify::ContextifyScript::RunInThisContext(v8::FunctionCallbackInfo<v8::Value> const&) + 343
    frame #17: 0x00007fffee6ea4c2 node`v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) + 530
    frame #18: 0x00007fffee6eb069 node`v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) + 185
    frame #19: 0x000006d8132dc01d <exit>
    frame #20: 0x000006d8132918b5 runInThisContext(this=0x00002a3391b022e1:<Object: ContextifyScript>, 0x00002a3391b02399:<Object: Object>) at vm.js:91:19 fn=0x0000083ade3c0761
    frame #21: 0x000006d8132918b5 defaultEval(this=0x00001241ac282201:<Object: REPLServer>, 0x00002a3391b02409:<String: "let test = { not...">, 0x00000be72f61a8f1:<Global proxy>, 0x00002de71e231309:<String: "repl">, 0x00002a3391b02481:<function: finish at repl.js:629:20>) at repl.js:227:23 fn=0x00001241ac282309
    frame #22: 0x000006d8132918b5 bound(this=0x00003a32c6b826f1:<undefined>, 0x00001241ac282201:<Object: REPLServer>, 0x00001241ac282461:<Object: EventEmitter>, 0x00001241ac282309:<function: defaultEval at repl.js:227:23>, 0x00002a3391b024c1:<unknown>) at domain.js:391:15 fn=0x00001241ac282349
    frame #23: 0x000006d8132918b5 runBound(this=0x00001241ac282201:<Object: REPLServer>) at domain.js:408:20 fn=0x00001241ac282511
    frame #24: 0x000006d81328a5a3 <adaptor>
    frame #25: 0x000006d8132918b5 onLine(this=0x00001241ac282201:<Object: REPLServer>, 0x00002a3391b024e1:<String: "let test = { not...">) at repl.js:582:34 fn=0x00001241ac282591
    frame #26: 0x000006d8132918b5 emit(this=0x00001241ac282201:<Object: REPLServer>, 0x00003a32c6b86a51:<String: "line">) at events.js:140:44 fn=0x00002de71e2433a9
    frame #27: 0x000006d81328a5a3 <adaptor>
    frame #28: 0x000006d8132918b5 EventEmitter.emit(this=0x00001241ac282201:<Object: REPLServer>) at domain.js:431:39 fn=0x0000047a28aa74e9
    frame #29: 0x000006d81328a5a3 <adaptor>
    frame #30: 0x000006d8132918b5 Interface._onLine(this=0x00001241ac282201:<Object: REPLServer>, 0x00002a3391b024e1:<String: "let test = { not...">) at readline.js:283:39 fn=0x000016f9f5553e81
    frame #31: 0x000006d8132918b5 Interface._line(this=0x00001241ac282201:<Object: REPLServer>) at readline.js:635:37 fn=0x000016f9f5554381
    frame #32: 0x000006d8132918b5 Interface._ttyWrite(this=0x00001241ac282201:<Object: REPLServer>, 0x00000f3a729af9e1:<String: "
">, 0x00002a3391b02631:<Object: Object>) at readline.js:756:41 fn=0x000016f9f5554501
    frame #33: 0x000006d8132918b5 REPLServer.self._ttyWrite(this=0x00001241ac282201:<Object: REPLServer>, 0x00000f3a729af9e1:<String: "
">, 0x00002a3391b02631:<Object: Object>) at repl.js:693:20 fn=0x0000047a28ad4f59
    frame #34: 0x000006d8132918b5 onkeypress(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00000f3a729af9e1:<String: "
">, 0x00002a3391b02631:<Object: Object>) at readline.js:167:22 fn=0x00001241ac282639
    frame #35: 0x000006d8132918b5 emit(this=0x00001241ac2826f1:<Object: ReadStream>, 0x0000047a28ac8cc9:<String: "keypress">) at events.js:140:44 fn=0x00002de71e2433a9
    frame #36: 0x000006d81328a5a3 <adaptor>
    frame #37: 0x000006d8132918b5 EventEmitter.emit(this=0x00001241ac2826f1:<Object: ReadStream>) at domain.js:431:39 fn=0x0000047a28aa74e9
    frame #38: 0x000006d81328a5a3 <adaptor>
    frame #39: 0x000006d8132918b5 emitKeys(this=0x00003a32c6b826f1:<undefined>, 0x00003a32c6b82801:<hole>) at (external).js:166:19 fn=0x000012bdb5259ed1
    frame #40: 0x000006d813332c3b
    frame #41: 0x000006d8132918b5 onData(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>) at readline.js:1006:18 fn=0x00001241ac282859
    frame #42: 0x000006d8132918b5 emit(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00002de71e23c291:<String: "data">) at events.js:140:44 fn=0x00002de71e2433a9
    frame #43: 0x000006d81328a5a3 <adaptor>
    frame #44: 0x000006d8132918b5 EventEmitter.emit(this=0x00001241ac2826f1:<Object: ReadStream>) at domain.js:431:39 fn=0x0000047a28aa74e9
    frame #45: 0x000006d81328a5a3 <adaptor>
    frame #46: 0x000006d8132918b5 addChunk(this=0x00003a32c6b826f1:<undefined>, 0x00001241ac2826f1:<Object: ReadStream>, 0x00001241ac282899:<Object: ReadableState>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>, 0x00003a32c6b829a1:<false>) at (external).js:280:18 fn=0x000012bdb5237531
    frame #47: 0x000006d8132918b5 readableAddChunk(this=0x00003a32c6b826f1:<undefined>, 0x00001241ac2826f1:<Object: ReadStream>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>, 0x00003a32c6b826f1:<undefined>, 0x00003a32c6b829a1:<false>, 0x00003a32c6b826f1:<undefined>) at (external).js:227:26 fn=0x000012bdb52374f1
    frame #48: 0x000006d8132918b5 Readable.push(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>, 0x00003a32c6b826f1:<undefined>) at (external).js:202:35 fn=0x00000f3a729c5149
    frame #49: 0x000006d81328a5a3 <adaptor>
    frame #50: 0x000006d8132918b5 onStreamRead(this=0x00001241ac2829b9:<Object: TTY>, <Smi: 1>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>) at (external).js:87:22 fn=0x000012bdb525c879
    frame #51: 0x000006d81328ee55 <internal>
    frame #52: 0x000006d813289521 <entry>
    frame #53: 0x00007fffeea0e540 node`v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 272
    frame #54: 0x00007fffee68602f node`v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) + 415
    frame #55: 0x00007fffee433cf9 node`node::InternalMakeCallback(node::Environment*, v8::Local<v8::Object>, v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) + 441
    frame #56: 0x00007fffee3fddd6 node`node::AsyncWrap::MakeCallback(v8::Local<v8::Function>, int, v8::Local<v8::Value>*) + 134
    frame #57: 0x00007fffee4fe3f4 node`node::StreamBase::CallJSOnreadMethod(long, v8::Local<v8::Object>) + 196
    frame #58: 0x00007fffee4fe4cc node`node::EmitToJSStreamListener::OnStreamRead(long, uv_buf_t const&) + 156
    frame #59: 0x00007fffee504eb1 node`node::LibuvStreamWrap::ReadStart()::{lambda(uv_stream_s*, long, uv_buf_t const*)#2}::_FUN(uv_stream_s*, long, uv_buf_t const*) + 161
    frame #60: 0x00007fffee5a2242 node`uv__read(stream=<unavailable>) + 674 at stream.c:1257
    frame #61: 0x00007fffee5a2880 node`uv__stream_io(loop=<unavailable>, w=<unavailable>, events=<unavailable>) + 624 at stream.c:1324
    frame #62: 0x00007fffee5a8260 node`uv__io_poll(loop=<unavailable>, timeout=<unavailable>) + 976 at linux-core.c:401
    frame #63: 0x00007fffee59761b node`uv_run(loop=<unavailable>, mode=<unavailable>) + 331 at core.c:370
    frame #64: 0x00007fffee43d425 node`node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) + 1909
    frame #65: 0x00007fffee43b08a node`node::Start(int, char**) + 1386
    frame #66: 0x00007ffff6b942b1 libc.so.6`__libc_start_main + 241
    frame #67: 0x00007fffee3f4b2a node`_start + 42

Metadata

Metadata

Assignees

Labels

confirmed-bugIssues with confirmed bugs.v8 engineIssues and PRs related to the V8 dependency.vmIssues and PRs related to the vm subsystem.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions