snapshot cause EXC_BAD_ACCESS #40832

caijw · 2021-11-17T02:27:05Z

Version

v18.0.0-pre

Platform

Darwin MY-MC0 19.5.0 Darwin Kernel Version 19.5.0: Thu Apr 30 18:25:59 PDT 2020; root:xnu-6153.121.1~7/RELEASE_X86_64 x86_64

Subsystem

No response

What steps will reproduce the bug?

Nodejs loads a specific snapshot, and causes a memory error EXC_BAD_ACCESS.
This happens on Macos platform and Linux platform.

➜  node git:(snapshot-user) ✗ lldb --  ./out/Debug/node --snapshot-blob ./example/snapshot.blob
(lldb) target create "./out/Debug/node"
Current executable set to '/Users/jingweicai/dev/node/out/Debug/node' (x86_64).
(lldb) settings set -- target.run-args  "--snapshot-blob" "./example/snapshot.blob"
(lldb) r
Process 6097 launched: '/Users/jingweicai/dev/node/out/Debug/node' (x86_64)
node was compiled with optimization - stepping may behave oddly; variables may not be available.
Process 6097 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
    frame #0: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] short std::__1::__cxx_atomic_load<short>(__a=<unavailable>, __order=memory_order_relaxed) at atomic:964:12 [opt]
   961 	_LIBCPP_INLINE_VISIBILITY
   962 	_Tp __cxx_atomic_load(__cxx_atomic_base_impl<_Tp> const volatile* __a, memory_order __order) _NOEXCEPT {
   963 	    using __ptr_type = typename remove_const<decltype(__a->__a_value)>::type*;
-> 964 	    return __c11_atomic_load(const_cast<__ptr_type>(&__a->__a_value), static_cast<__memory_order_underlying_t>(__order));
   965 	}
   966 	template<class _Tp>
   967 	_LIBCPP_INLINE_VISIBILITY
Target 0: (node) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
  * frame #0: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] short std::__1::__cxx_atomic_load<short>(__a=<unavailable>, __order=memory_order_relaxed) at atomic:964:12 [opt]
    frame #1: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] std::__1::__atomic_base<short, false>::load(this=<unavailable>, __m=memory_order_relaxed) const volatile at atomic:1483 [opt]
    frame #2: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] short std::__1::atomic_load_explicit<short>(__o=<unavailable>, __m=memory_order_relaxed) at atomic:1819 [opt]
    frame #3: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::base::Relaxed_Load(ptr=<unavailable>) at atomicops.h:225 [opt]
    frame #4: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::Map::instance_type(this=<unavailable>) const at map-inl.h:343 [opt]
    frame #5: 0x000000010108c578 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::HeapObject::IsString(this=<unavailable>) const at instance-type-inl.h:79 [opt]
    frame #6: 0x000000010108c574 node`v8::internal::Serializer::SerializeObject(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::HeapObject::IsThinString(this=<unavailable>) const at objects-inl.h:196 [opt]
    frame #7: 0x000000010108c574 node`v8::internal::Serializer::SerializeObject(this=0x00007ffeefbfce60, obj=Handle<v8::internal::HeapObject> @ r12) at serializer.cc:122 [opt]
    frame #8: 0x0000000101092038 node`v8::internal::Serializer::ObjectSerializer::VisitPointers(this=<unavailable>, host=<unavailable>, start=<unavailable>, end=<unavailable>) at serializer.cc:882:20 [opt]
    frame #9: 0x0000000101090eb2 node`v8::internal::Serializer::ObjectSerializer::SerializeContent(this=0x00007ffeefbfc6d0, map=Map @ r15, size=952) at serializer.cc:809:14 [opt]
    frame #10: 0x000000010108fc00 node`v8::internal::Serializer::ObjectSerializer::SerializeObject(this=0x00007ffeefbfc6d0) at serializer.cc:780:3 [opt]
    frame #11: 0x0000000101090c49 node`v8::internal::Serializer::ObjectSerializer::Serialize(this=0x00007ffeefbfc6d0) at serializer.cc:712:3 [opt]
    frame #12: 0x000000010105f46b node`v8::internal::CodeSerializer::SerializeObjectImpl(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::CodeSerializer::SerializeGeneric(this=<unavailable>, heap_object=<unavailable>) at code-serializer.cc:231:14 [opt]
    frame #13: 0x000000010105f421 node`v8::internal::CodeSerializer::SerializeObjectImpl(this=<unavailable>, obj=Handle<v8::internal::HeapObject> @ r13) at code-serializer.cc:225 [opt]
    frame #14: 0x0000000101092038 node`v8::internal::Serializer::ObjectSerializer::VisitPointers(this=<unavailable>, host=<unavailable>, start=<unavailable>, end=<unavailable>) at serializer.cc:882:20 [opt]
    frame #15: 0x0000000101090eb2 node`v8::internal::Serializer::ObjectSerializer::SerializeContent(this=0x00007ffeefbfc8b0, map=Map @ r15, size=688) at serializer.cc:809:14 [opt]
    frame #16: 0x000000010108fc00 node`v8::internal::Serializer::ObjectSerializer::SerializeObject(this=0x00007ffeefbfc8b0) at serializer.cc:780:3 [opt]
    frame #17: 0x0000000101090c49 node`v8::internal::Serializer::ObjectSerializer::Serialize(this=0x00007ffeefbfc8b0) at serializer.cc:712:3 [opt]
    frame #18: 0x000000010105f46b node`v8::internal::CodeSerializer::SerializeObjectImpl(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::CodeSerializer::SerializeGeneric(this=<unavailable>, heap_object=<unavailable>) at code-serializer.cc:231:14 [opt]
    frame #19: 0x000000010105f421 node`v8::internal::CodeSerializer::SerializeObjectImpl(this=<unavailable>, obj=Handle<v8::internal::HeapObject> @ r13) at code-serializer.cc:225 [opt]
    frame #20: 0x0000000101092038 node`v8::internal::Serializer::ObjectSerializer::VisitPointers(this=<unavailable>, host=<unavailable>, start=<unavailable>, end=<unavailable>) at serializer.cc:882:20 [opt]
    frame #21: 0x0000000100e2e293 node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(v8::internal::InstanceType, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*) [inlined] void v8::internal::BodyDescriptorBase::IteratePointer<v8::internal::ObjectVisitor>(obj=HeapObject @ r15, offset=16, v=0x00007ffeefbfcad0) at objects-body-descriptors-inl.h:118:6 [opt]
    frame #22: 0x0000000100e2e277 node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(v8::internal::InstanceType, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*) [inlined] void v8::internal::BytecodeArray::BodyDescriptor::IterateBody<v8::internal::ObjectVisitor>(map=<unavailable>, obj=HeapObject @ r15, object_size=<unavailable>, v=0x00007ffeefbfcad0) at objects-body-descriptors-inl.h:480 [opt]
    frame #23: 0x0000000100e2e277 node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(v8::internal::InstanceType, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*) [inlined] void v8::internal::CallIterateBody::apply<v8::internal::BytecodeArray::BodyDescriptor, v8::internal::ObjectVisitor>(map=<unavailable>, obj=HeapObject @ r15, object_size=<unavailable>, v=0x00007ffeefbfcad0) at objects-body-descriptors-inl.h:1269 [opt]
    frame #24: 0x0000000100e2e277 node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(type=<unavailable>, p1=<unavailable>, p2=HeapObject @ r15, p3=832, p4=0x00007ffeefbfcad0) at objects-body-descriptors-inl.h:1181 [opt]
    frame #25: 0x0000000101090eb2 node`v8::internal::Serializer::ObjectSerializer::SerializeContent(this=0x00007ffeefbfcad0, map=Map @ r15, size=832) at serializer.cc:809:14 [opt]
    frame #26: 0x000000010108fc00 node`v8::internal::Serializer::ObjectSerializer::SerializeObject(this=0x00007ffeefbfcad0) at serializer.cc:780:3 [opt]
    frame #27: 0x0000000101090c49 node`v8::internal::Serializer::ObjectSerializer::Serialize(this=0x00007ffeefbfcad0) at serializer.cc:712:3 [opt]
    frame #28: 0x000000010105f46b node`v8::internal::CodeSerializer::SerializeObjectImpl(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::CodeSerializer::SerializeGeneric(this=<unavailable>, heap_object=<unavailable>) at code-serializer.cc:231:14 [opt]
    frame #29: 0x000000010105f421 node`v8::internal::CodeSerializer::SerializeObjectImpl(this=<unavailable>, obj=Handle<v8::internal::HeapObject> @ r13) at code-serializer.cc:225 [opt]
    frame #30: 0x0000000101092038 node`v8::internal::Serializer::ObjectSerializer::VisitPointers(this=<unavailable>, host=<unavailable>, start=<unavailable>, end=<unavailable>) at serializer.cc:882:20 [opt]
    frame #31: 0x0000000100e2e317 node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(v8::internal::InstanceType, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*) [inlined] void v8::internal::BodyDescriptorBase::IterateCustomWeakPointer<v8::internal::ObjectVisitor>(obj=HeapObject @ r15, offset=8, v=0x00007ffeefbfccf0) at objects-body-descriptors-inl.h:155:6 [opt]
    frame #32: 0x0000000100e2e2fb node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(v8::internal::InstanceType, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*) [inlined] void v8::internal::SharedFunctionInfo::BodyDescriptor::IterateBody<v8::internal::ObjectVisitor>(map=<unavailable>, obj=HeapObject @ r15, object_size=<unavailable>, v=0x00007ffeefbfccf0) at objects-body-descriptors-inl.inc:87 [opt]
    frame #33: 0x0000000100e2e2fb node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(v8::internal::InstanceType, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*) [inlined] void v8::internal::CallIterateBody::apply<v8::internal::SharedFunctionInfo::BodyDescriptor, v8::internal::ObjectVisitor>(map=<unavailable>, obj=HeapObject @ r15, object_size=<unavailable>, v=0x00007ffeefbfccf0) at objects-body-descriptors-inl.h:1269 [opt]
    frame #34: 0x0000000100e2e2fb node`void v8::internal::BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::Map, v8::internal::HeapObject, int, v8::internal::ObjectVisitor*>(type=<unavailable>, p1=<unavailable>, p2=HeapObject @ r15, p3=64, p4=0x00007ffeefbfccf0) at objects-body-descriptors-inl.h:1243 [opt]
    frame #35: 0x0000000101090eb2 node`v8::internal::Serializer::ObjectSerializer::SerializeContent(this=0x00007ffeefbfccf0, map=Map @ r15, size=64) at serializer.cc:809:14 [opt]
    frame #36: 0x000000010108fc00 node`v8::internal::Serializer::ObjectSerializer::SerializeObject(this=0x00007ffeefbfccf0) at serializer.cc:780:3 [opt]
    frame #37: 0x0000000101090c49 node`v8::internal::Serializer::ObjectSerializer::Serialize(this=0x00007ffeefbfccf0) at serializer.cc:712:3 [opt]
    frame #38: 0x000000010105f565 node`v8::internal::CodeSerializer::SerializeObjectImpl(v8::internal::Handle<v8::internal::HeapObject>) [inlined] v8::internal::CodeSerializer::SerializeGeneric(this=<unavailable>, heap_object=Handle<v8::internal::HeapObject> @ r13) at code-serializer.cc:231:14 [opt]
    frame #39: 0x000000010105f51b node`v8::internal::CodeSerializer::SerializeObjectImpl(this=<unavailable>, obj=Handle<v8::internal::HeapObject> @ r13) at code-serializer.cc:192 [opt]
    frame #40: 0x000000010108c78b node`v8::internal::Serializer::VisitRootPointers(v8::internal::Root, char const*, v8::internal::FullObjectSlot, v8::internal::FullObjectSlot) [inlined] v8::internal::Serializer::SerializeRootObject(this=0x00007ffeefbfce60, slot=FullObjectSlot @ rbx) at serializer.cc:150:5 [opt]
    frame #41: 0x000000010108c77a node`v8::internal::Serializer::VisitRootPointers(this=0x00007ffeefbfce60, root=<unavailable>, description=<unavailable>, start=<unavailable>, end=FullObjectSlot @ r14) at serializer.cc:141 [opt]
    frame #42: 0x000000010105eba5 node`v8::internal::CodeSerializer::SerializeSharedFunctionInfo(this=0x00007ffeefbfce60, info=Handle<v8::internal::SharedFunctionInfo> @ r15) at code-serializer.cc:102:3 [opt]
    frame #43: 0x000000010105e8c5 node`v8::internal::CodeSerializer::Serialize(info=<unavailable>) at code-serializer.cc:81:39 [opt]
    frame #44: 0x00000001006bacb0 node`v8::ScriptCompiler::CreateCodeCacheForFunction(function=<unavailable>) at api.cc:2791:10 [opt]
    frame #45: 0x00000001002c6531 node`node::native_module::NativeModuleLoader::LookupAndCompile(this=0x000000010477a380, context=(val_ = 0x00000001090e0080), id="internal/modules/esm/translators", parameters=0x00007ffeefbfd440 size=6, result=0x00007ffeefbfd514) at node_native_module.cc:306:7
    frame #46: 0x00000001002c603b node`node::native_module::NativeModuleLoader::CompileAsModule(this=0x000000010477a380, context=(val_ = 0x00000001090e0080), id="internal/modules/esm/translators", result=0x00007ffeefbfd514) at node_native_module.cc:187:10
    frame #47: 0x00000001002d1643 node`node::native_module::NativeModuleEnv::CompileFunction(args=0x00007ffeefbfd9c0) at node_native_module_env.cc:140:42
    frame #48: 0x0000000100780bdb node`v8::internal::FunctionCallbackArguments::Call(this=0x00007ffeefbfda28, handler=CallHandlerInfo @ 0x00007ffeefbfd9e0) at api-arguments-inl.h:152:3 [opt]
    frame #49: 0x000000010077f4b4 node`v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(isolate=<unavailable>, function=Handle<v8::internal::HeapObject> @ 0x00007ffeefbfdaa0, new_target=Handle<v8::internal::HeapObject> @ 0x00007ffeefbfda98, fun_data=<unavailable>, receiver=<unavailable>, args=BuiltinArguments @ 0x00007ffeefbfdae0) at builtins-api.cc:112:36 [opt]
    frame #50: 0x000000010077d8b2 node`v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) at builtins-api.cc:142:5 [opt]
    frame #51: 0x000000010077d72a node`v8::internal::Builtin_HandleApiCall(args_length=<unavailable>, args_object=<unavailable>, isolate=0x00000001100b0000) at builtins-api.cc:130 [opt]
    frame #52: 0x0000000101568ef9 node`Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit + 57
    frame #53: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #54: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #55: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #56: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #57: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #58: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #59: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #60: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #61: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #62: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #63: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #64: 0x00000001014e9e0e node`Builtins_InterpreterEntryTrampoline + 206
    frame #65: 0x00000001014e791b node`Builtins_JSEntryTrampoline + 91
    frame #66: 0x00000001014e7643 node`Builtins_JSEntry + 131
    frame #67: 0x0000000100905db7 node`v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [inlined] v8::internal::GeneratedCode<unsigned long, unsigned long, unsigned long, unsigned long, unsigned long, long, unsigned long**>::Call(this=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>, args=<unavailable>) at simulator.h:152:12 [opt]
    frame #68: 0x0000000100905db5 node`v8::internal::(anonymous namespace)::Invoke(isolate=0x00000001100b0000, params=0x00007ffeefbfe528)::InvokeParams const&) at execution.cc:375 [opt]
    frame #69: 0x0000000100904f7b node`v8::internal::Execution::Call(isolate=0x00000001100b0000, callable=<unavailable>, receiver=<unavailable>, argc=5, argv=0x000000010885b940) at execution.cc:470:10 [opt]
    frame #70: 0x00000001006d4ee3 node`v8::Function::Call(this=0x0000000109095840, context=<unavailable>, recv=(val_ = 0x00000001100b0170), argc=5, argv=<unavailable>) at api.cc:5157:7 [opt]
    frame #71: 0x0000000100151973 node`node::ExecuteBootstrapper(env=0x0000000109097800, id="internal/main/repl", parameters=0x00007ffeefbfe7f8 size=5, arguments=0x00007ffeefbfe7d0 size=5) at node.cc:185:34
    frame #72: 0x0000000100153a7a node`node::StartExecution(env=0x0000000109097800, main_script_id="internal/main/repl") at node.cc:452:7
    frame #73: 0x0000000100153727 node`node::StartExecution(env=0x0000000109097800, cb=node::StartExecutionCallback @ 0x00007ffeefbfea10)>) at node.cc:516:12
    frame #74: 0x000000010000f785 node`node::LoadEnvironment(env=0x0000000109097800, cb=node::StartExecutionCallback @ 0x00007ffeefbfeab0)>) at environment.cc:409:10
    frame #75: 0x0000000100296a79 node`node::NodeMainInstance::Run(this=0x00007ffeefbfebe0, exit_code=0x00007ffeefbfeb2c, env=0x0000000109097800) at node_main_instance.cc:144:5
    frame #76: 0x0000000100296339 node`node::NodeMainInstance::Run(this=0x00007ffeefbfebe0, env_info=0x00007ffeefbfed28) at node_main_instance.cc:138:3
    frame #77: 0x000000010015672e node`node::Start(argc=3, argv=0x00007ffeefbff018) at node.cc:1205:38
    frame #78: 0x0000000101a3d19e node`main(argc=3, argv=0x00007ffeefbff018) at node_main.cc:127:10
    frame #79: 0x00007fff6e9bdcc9 libdyld.dylib`start + 1
    frame #80: 0x00007fff6e9bdcc9 libdyld.dylib`start + 1

How often does it reproduce? Is there a required condition?

I'm modifying nodejs to support loading third party snapshots.
This happens when you snapshot a javascjrpt file:

(function () {
  var re = /./;
  re.exec = function () {
    var result = [];
    result.groups = { a: '7' };
    return result;
  };
  ''.replace(re, '$<a>') !== '7';
  return ''.replace(re, '$<a>') !== '7';
})();

and loads the snapshot when nodejs bootstrap.
This also happens with the new feature user land snapshots.
I added a test case on the v8 and did not find this problem:

UNINITIALIZED_TEST(ModifyRegExp) {
  DisableAlwaysOpt();
  DisableEmbeddedBlobRefcounting();
  v8::StartupData blob;
  {
    v8::SnapshotCreator creator;
    v8::Isolate* isolate = creator.GetIsolate();
    {
      v8::HandleScope handle_scope(isolate);
      v8::Local<v8::Context> context = v8::Context::New(isolate);
      v8::Context::Scope context_scope(context);
      CompileRun("var f = function() { return 1; }");
      creator.SetDefaultContext(context);
    }
    {
      v8::HandleScope handle_scope(isolate);
      v8::Local<v8::Context> context = v8::Context::New(isolate);
      v8::Context::Scope context_scope(context);
      CompileRun("var f = function() { return 2; }");
      CompileRun(
        R"(
          (function () {
            var re = /./;
            re.exec = function () {
              var result = [];
              result.groups = { a: '7' };
              return result;
            };
            ''.replace(re, '$<a>') !== '7';
            return ''.replace(re, '$<a>') !== '7';
          })();
        )"
      );

      CHECK_EQ(0u, creator.AddContext(context));
    }
    {
      v8::HandleScope handle_scope(isolate);
      v8::Local<v8::Context> context = v8::Context::New(isolate);
      v8::Context::Scope context_scope(context);
      CHECK_EQ(1u, creator.AddContext(context));
    }
    blob =
        creator.CreateBlob(v8::SnapshotCreator::FunctionCodeHandling::kKeep);
  }

  v8::Isolate::CreateParams params;
  params.snapshot_blob = &blob;
  params.array_buffer_allocator = CcTest::array_buffer_allocator();
  // Test-appropriate equivalent of v8::Isolate::New.
  v8::Isolate* isolate = TestSerializer::NewIsolate(params);
  {
    v8::Isolate::Scope isolate_scope(isolate);
    {
      v8::HandleScope handle_scope(isolate);
      v8::Local<v8::Context> context = v8::Context::New(isolate);
      v8::Context::Scope context_scope(context);
      ExpectInt32("f()", 1);
    }
    {
      v8::HandleScope handle_scope(isolate);
      v8::Local<v8::Context> context =
          v8::Context::FromSnapshot(isolate, 0).ToLocalChecked();
      v8::Context::Scope context_scope(context);
      ExpectInt32("f()", 2);
    }
    {
      v8::HandleScope handle_scope(isolate);
      v8::Local<v8::Context> context =
          v8::Context::FromSnapshot(isolate, 1).ToLocalChecked();
      v8::Context::Scope context_scope(context);
      ExpectUndefined("this.f");
    }
  }

  // int *ptr = nullptr;
  // ptr[1000] = 10;

  isolate->Dispose();
  delete[] blob.data;
  FreeCurrentEmbeddedBlob();
}

test case output:

➜  v8 git:(7bc8680c05) ✗  gm x64.debug  cctest/test-serialize/ModifyRegExp
# autoninja -C out/x64.debug cctest d8
ninja: Entering directory `out/x64.debug'
[3/3] LINK ./cctest
# "/usr/local/bin/python2" tools/run-tests.py --outdir=out/x64.debug cctest/test-serialize/ModifyRegExp 
Build found: /home/ubuntu/code/v8/v8/out/x64.debug
>>> Autodetected:
pointer_compression
pointer_compression_shared_cage
webassembly
>>> Running tests for x64.debug
>>> Running with test processors
[00:03|%   0|+   1|-   0]: Done                              
>>> 7187 base tests produced 1 (0%) non-filtered tests
>>> 1 tests ran
Done! - V8 compilation finished successfully.

It seems that this is an issue of nodejs.

What is the expected behavior?

No response

What do you see instead?

No response

Additional information

No response

The text was updated successfully, but these errors were encountered:

targos · 2021-11-21T14:14:39Z

@joyeecheung

caijw · 2021-11-22T06:24:19Z

#38905 (comment)
#38905 (comment)

Need to report a issue to v8.

joyeecheung · 2022-03-28T13:29:16Z

This is tracked in V8 as https://bugs.chromium.org/p/v8/issues/detail?id=12718 - it appears that there is a mismatch when the snapshot is de/serialized, so a ScopeInfo gets corrupted (apart from that, some string in the constant pools of certain bytecodes are corrupted too) and caused the crash - I am currently tracing down where that mismatch is coming from (aside: #42466 still reproduces this error when the snippet is run to build into the embedded snapshot, so that rules out issues with FileIO)

joyeecheung · 2022-06-10T14:43:41Z

FYI I've confirmed that https://chromium-review.googlesource.com/c/v8/v8/+/3616553 can fix this though I reverted it soon after landing it due to another memory corruption that seems to be only reproducible with chromium (which I am trying to fix..).

goloveychuk · 2022-06-14T15:06:44Z

I've applied your fix as patch to current master and confirming that it's fixed segfault with above trace.
But I've found that when I run my script, sometimes (30%) of the time I have
[1] 45882 bus error ./node ./test.js
Before the patch I had either bus or segfault, mostly segfault.
Here are the traces:

(lldb) run
Process 46281 launched: '/Users/vadymh/github/node/node_g' (x86_64)
{ migrate: [Getter] }
Process 46281 exited with status = 0 (0x00000000)
(lldb) run
Process 47117 launched: '/Users/vadymh/github/node/node_g' (x86_64)
Process 47117 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x11740d909)
    frame #0: 0x000000010197ed8b node_g`long std::__1::__libcpp_atomic_refcount_increment<long>(__t=0x000000011740d909) at shared_ptr.h:110:12
   107 	__libcpp_atomic_refcount_increment(_Tp& __t) _NOEXCEPT
   108 	{
   109 	#if defined(_LIBCPP_HAS_BUILTIN_ATOMIC_SUPPORT) && !defined(_LIBCPP_HAS_NO_THREADS)
-> 110 	    return __atomic_add_fetch(&__t, 1, __ATOMIC_RELAXED);
   111 	#else
   112 	    return __t += 1;
   113 	#endif
Target 0: (node_g) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2, address=0x11740d909)
  * frame #0: 0x000000010197ed8b node_g`long std::__1::__libcpp_atomic_refcount_increment<long>(__t=0x000000011740d909) at shared_ptr.h:110:12
    frame #1: 0x000000010197ed69 node_g`std::__1::__shared_count::__add_shared(this=0x000000011740d901) at shared_ptr.h:172:7
    frame #2: 0x000000010197ed45 node_g`std::__1::__shared_weak_count::__add_shared(this=0x000000011740d901) at shared_ptr.h:211:23
    frame #3: 0x000000010197ed26 node_g`std::__1::shared_ptr<v8::internal::BackingStore>::shared_ptr(this=0x00007ff7bfef14b0, __r=std::__1::shared_ptr<v8::internal::BackingStore>::element_type @ 0x000008c5ea7cfc31 strong=2954361393226499127 weak=7566047411653886996) at shared_ptr.h:850:19
    frame #4: 0x0000000101966abd node_g`std::__1::shared_ptr<v8::internal::BackingStore>::shared_ptr(this=0x00007ff7bfef14b0, __r=std::__1::shared_ptr<v8::internal::BackingStore>::element_type @ 0x000008c5ea7cfc31 strong=2954361393226499127 weak=7566047411653886996) at shared_ptr.h:848:1
    frame #5: 0x000000010196f7fa node_g`v8::internal::Deserializer<v8::internal::Isolate>::PostProcessNewJSReceiver(this=0x00007ff7bfefe5d0, map=Map @ 0x00007ff7bfef1568, obj=Handle<v8::internal::JSReceiver> @ 0x00007ff7bfef1560, raw_obj=JSReceiver @ 0x00007ff7bfef1558, instance_type=JS_TYPED_ARRAY_TYPE, space=kOld) at deserializer.cc:438:28
    frame #6: 0x000000010196ece9 node_g`v8::internal::Deserializer<v8::internal::Isolate>::PostProcessNewObject(this=0x00007ff7bfefe5d0, map=Handle<v8::internal::Map> @ 0x00007ff7bfef17b8, obj=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef17b0, space=kOld) at deserializer.cc:557:12
    frame #7: 0x0000000101965efa node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:710:3
    frame #8: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef1de8) at deserializer.cc:938:40
    frame #9: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef1e58, start_slot_index=1, end_slot_index=40) at deserializer.cc:908:16
    frame #10: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #11: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef2488) at deserializer.cc:938:40
    frame #12: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef24f8, start_slot_index=1, end_slot_index=6) at deserializer.cc:908:16
    frame #13: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #14: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef2b28) at deserializer.cc:938:40
    frame #15: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef2b98, start_slot_index=1, end_slot_index=8) at deserializer.cc:908:16
    frame #16: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #17: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef31c8) at deserializer.cc:938:40
    frame #18: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef3238, start_slot_index=1, end_slot_index=52) at deserializer.cc:908:16
    frame #19: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #20: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef3868) at deserializer.cc:938:40
    frame #21: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef38d8, start_slot_index=1, end_slot_index=8) at deserializer.cc:908:16
    frame #22: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #23: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef3f08) at deserializer.cc:938:40
    frame #24: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef3f78, start_slot_index=1, end_slot_index=7) at deserializer.cc:908:16
    frame #25: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #26: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef45a8) at deserializer.cc:938:40
    frame #27: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef4618, start_slot_index=1, end_slot_index=4) at deserializer.cc:908:16
    frame #28: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #29: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef4c48) at deserializer.cc:938:40
    frame #30: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef4cb8, start_slot_index=1, end_slot_index=6) at deserializer.cc:908:16
    frame #31: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #32: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef52e8) at deserializer.cc:938:40
    frame #33: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef5358, start_slot_index=1, end_slot_index=8) at deserializer.cc:908:16
    frame #34: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #35: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef5988) at deserializer.cc:938:40
    frame #36: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef59f8, start_slot_index=1, end_slot_index=1766) at deserializer.cc:908:16
    frame #37: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #38: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef6028) at deserializer.cc:938:40
    frame #39: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef6098, start_slot_index=1, end_slot_index=5) at deserializer.cc:908:16
    frame #40: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #41: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef66c8) at deserializer.cc:938:40
    frame #42: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef6738, start_slot_index=1, end_slot_index=5) at deserializer.cc:908:16
    frame #43: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #44: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef6d68) at deserializer.cc:938:40
    frame #45: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef6dd8, start_slot_index=1, end_slot_index=7) at deserializer.cc:908:16
    frame #46: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #47: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef7408) at deserializer.cc:938:40
    frame #48: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef7478, start_slot_index=1, end_slot_index=3) at deserializer.cc:908:16
    frame #49: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #50: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef7aa8) at deserializer.cc:938:40
    frame #51: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef7b18, start_slot_index=1, end_slot_index=1101) at deserializer.cc:908:16
    frame #52: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #53: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef8148) at deserializer.cc:938:40
    frame #54: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef81b8, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #55: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #56: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef87e8) at deserializer.cc:938:40
    frame #57: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef8858, start_slot_index=1, end_slot_index=8) at deserializer.cc:908:16
    frame #58: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #59: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef8e88) at deserializer.cc:938:40
    frame #60: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef8ef8, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #61: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #62: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef9528) at deserializer.cc:938:40
    frame #63: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef9598, start_slot_index=1, end_slot_index=7) at deserializer.cc:908:16
    frame #64: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #65: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfef9bc8) at deserializer.cc:938:40
    frame #66: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfef9c38, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #67: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #68: 0x0000000101966e0f node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHandle<v8::internal::Isolate> >(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHandle<v8::internal::Isolate> @ 0x00007ff7bfefa268) at deserializer.cc:938:40
    frame #69: 0x0000000101966d2d node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0) at deserializer.cc:601:3
    frame #70: 0x000000010196594c node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:631:39
    frame #71: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfefa8f8) at deserializer.cc:938:40
    frame #72: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfefa968, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #73: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #74: 0x0000000101966e0f node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHandle<v8::internal::Isolate> >(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHandle<v8::internal::Isolate> @ 0x00007ff7bfefaf98) at deserializer.cc:938:40
    frame #75: 0x0000000101966d2d node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0) at deserializer.cc:601:3
    frame #76: 0x000000010196594c node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:631:39
    frame #77: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfefb628) at deserializer.cc:938:40
    frame #78: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfefb698, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #79: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #80: 0x0000000101966e0f node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHandle<v8::internal::Isolate> >(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHandle<v8::internal::Isolate> @ 0x00007ff7bfefbcc8) at deserializer.cc:938:40
    frame #81: 0x0000000101966d2d node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0) at deserializer.cc:601:3
    frame #82: 0x000000010196594c node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:631:39
    frame #83: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfefc358) at deserializer.cc:938:40
    frame #84: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfefc3c8, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #85: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #86: 0x0000000101966e0f node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHandle<v8::internal::Isolate> >(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHandle<v8::internal::Isolate> @ 0x00007ff7bfefc9f8) at deserializer.cc:938:40
    frame #87: 0x0000000101966d2d node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0) at deserializer.cc:601:3
    frame #88: 0x000000010196594c node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:631:39
    frame #89: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfefd088) at deserializer.cc:938:40
    frame #90: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfefd0f8, start_slot_index=1, end_slot_index=9) at deserializer.cc:908:16
    frame #91: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kMap) at deserializer.cc:709:3
    frame #92: 0x0000000101966e0f node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHandle<v8::internal::Isolate> >(this=0x00007ff7bfefe5d0, data='\x03', slot_accessor=SlotAccessorForHandle<v8::internal::Isolate> @ 0x00007ff7bfefd728) at deserializer.cc:938:40
    frame #93: 0x0000000101966d2d node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0) at deserializer.cc:601:3
    frame #94: 0x000000010196594c node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:631:39
    frame #95: 0x00000001019696ce node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHeapObject>(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHeapObject @ 0x00007ff7bfefddb8) at deserializer.cc:938:40
    frame #96: 0x00000001019695ea node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadData(this=0x00007ff7bfefe5d0, object=Handle<v8::internal::HeapObject> @ 0x00007ff7bfefde28, start_slot_index=1, end_slot_index=274) at deserializer.cc:908:16
    frame #97: 0x0000000101965ec4 node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0, space=kOld) at deserializer.cc:709:3
    frame #98: 0x0000000101966e0f node_g`int v8::internal::Deserializer<v8::internal::Isolate>::ReadSingleBytecodeData<v8::internal::SlotAccessorForHandle<v8::internal::Isolate> >(this=0x00007ff7bfefe5d0, data='\x01', slot_accessor=SlotAccessorForHandle<v8::internal::Isolate> @ 0x00007ff7bfefe458) at deserializer.cc:938:40
    frame #99: 0x0000000101966d2d node_g`v8::internal::Deserializer<v8::internal::Isolate>::ReadObject(this=0x00007ff7bfefe5d0) at deserializer.cc:601:3
    frame #100: 0x000000010195b7d2 node_g`v8::internal::ContextDeserializer::Deserialize(this=0x00007ff7bfefe5d0, isolate=0x000000010f9ab000, global_proxy=Handle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefe570, embedder_fields_deserializer=v8::DeserializeEmbedderFieldsCallback @ 0x00007ff7bfefe560) at context-deserializer.cc:46:14
    frame #101: 0x000000010195b618 node_g`v8::internal::ContextDeserializer::DeserializeContext(isolate=0x000000010f9ab000, data=0x00007ff7bfefe840, can_rehash=true, global_proxy=Handle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefe7c0, embedder_fields_deserializer=v8::DeserializeEmbedderFieldsCallback @ 0x00007ff7bfefe7b0) at context-deserializer.cc:24:9
    frame #102: 0x00000001019cf33a node_g`v8::internal::Snapshot::NewContextFromSnapshot(isolate=0x000000010f9ab000, global_proxy=Handle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefe8e0, context_index=2, embedder_fields_deserializer=v8::DeserializeEmbedderFieldsCallback @ 0x00007ff7bfefe8d0) at snapshot.cc:210:39
    frame #103: 0x0000000101081dfd node_g`v8::internal::Genesis::Genesis(this=0x00007ff7bfefed18, isolate=0x000000010f9ab000, maybe_global_proxy=MaybeHandle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefec48, global_proxy_template=(val_ = 0x0000000000000000), context_snapshot_index=2, embedder_fields_deserializer=v8::DeserializeEmbedderFieldsCallback @ 0x00007ff7bfefec60, microtask_queue=0x0000000000000000) at bootstrapper.cc:6329:9
    frame #104: 0x0000000101049ee1 node_g`v8::internal::Genesis::Genesis(this=0x00007ff7bfefed18, isolate=0x000000010f9ab000, maybe_global_proxy=MaybeHandle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefec98, global_proxy_template=(val_ = 0x0000000000000000), context_snapshot_index=2, embedder_fields_deserializer=v8::DeserializeEmbedderFieldsCallback @ 0x00007ff7bfefecb0, microtask_queue=0x0000000000000000) at bootstrapper.cc:6291:59
    frame #105: 0x0000000101049d93 node_g`v8::internal::Bootstrapper::CreateEnvironment(this=0x0000600000221120, maybe_global_proxy=MaybeHandle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefed90, global_proxy_template=(val_ = 0x0000000000000000), extensions=0x00007ff7bfeff190, context_snapshot_index=2, embedder_fields_deserializer=v8::DeserializeEmbedderFieldsCallback @ 0x00007ff7bfefedb0, microtask_queue=0x0000000000000000) at bootstrapper.cc:330:13
    frame #106: 0x000000010078d0e8 node_g`v8::InvokeBootstrapper<v8::internal::Context>::Invoke(this=0x00007ff7bfefef28, isolate=0x000000010f9ab000, maybe_global_proxy=MaybeHandle<v8::internal::JSGlobalProxy> @ 0x00007ff7bfefee10, global_proxy_template=(val_ = 0x0000000000000000), extensions=0x00007ff7bfeff190, context_snapshot_index=2, embedder_fields_deserializer=DeserializeInternalFieldsCallback @ 0x00007ff7bfefee30, microtask_queue=0x0000000000000000) at api.cc:6235:37
    frame #107: 0x000000010073bd21 node_g`v8::internal::Handle<v8::internal::Context> v8::CreateEnvironment<v8::internal::Context>(isolate=0x000000010f9ab000, extensions=0x00007ff7bfeff190, maybe_global_template=(val_ = 0x0000000000000000), maybe_global_proxy=(val_ = 0x0000000000000000), context_snapshot_index=2, embedder_fields_deserializer=DeserializeInternalFieldsCallback @ 0x00007ff7bfeff130, microtask_queue=0x0000000000000000) at api.cc:6337:21
    frame #108: 0x000000010073b541 node_g`v8::NewContext(external_isolate=0x000000010f9ab000, extensions=0x00007ff7bfeff190, global_template=(val_ = 0x0000000000000000), global_object=(val_ = 0x0000000000000000), context_snapshot_index=2, embedder_fields_deserializer=DeserializeInternalFieldsCallback @ 0x00007ff7bfeff210, microtask_queue=0x0000000000000000) at api.cc:6378:31
    frame #109: 0x000000010073c148 node_g`v8::Context::FromSnapshot(external_isolate=0x000000010f9ab000, context_snapshot_index=1, embedder_fields_deserializer=DeserializeInternalFieldsCallback @ 0x00007ff7bfeff288, extensions=0x0000000000000000, global_object=(val_ = 0x0000000000000000), microtask_queue=0x0000000000000000) at api.cc:6410:10
    frame #110: 0x00000001002ec864 node_g`node::NodeMainInstance::CreateMainEnvironment(this=0x00007ff7bfeff4f0, exit_code=0x00007ff7bfeff484) at node_main_instance.cc:186:15
    frame #111: 0x00000001002ec60b node_g`node::NodeMainInstance::Run(this=0x00007ff7bfeff4f0) at node_main_instance.cc:128:7
    frame #112: 0x00000001001b76b8 node_g`node::Start(argc=2, argv=0x00007ff7bfeff708) at node.cc:1204:38
    frame #113: 0x000000010282b228 node_g`main(argc=2, argv=0x00007ff7bfeff708) at node_main.cc:127:10
    frame #114: 0x000000010f7a14fe dyld`start + 462

I cannot provide minimal example (it's 20mb of js).

Also, if you're interested, here are benchmarks of evaluating 20 mb file (it's different nodes versions but still):

github/node   master ±  hyperfine -i 'node ./marked.js'
Benchmark 1: node ./marked.js
  Time (mean ± σ):      1.708 s ±  0.043 s    [User: 1.778 s, System: 0.127 s]
  Range (min … max):    1.661 s …  1.798 s    10 runs

 github/node   master ±  hyperfine -i './node ./test.js'
Benchmark 1: ./node ./test.js
  Time (mean ± σ):     354.7 ms ±  32.4 ms    [User: 288.7 ms, System: 58.0 ms]
  Range (min … max):   266.4 ms … 380.6 ms    10 runs

joyeecheung · 2022-08-02T17:07:27Z

@goloveychuk Sorry for missing the reply in this thread. From a glance of the stack trace, this looks like a different kind of memory corruption. My instinct is that the store_index read here

node/deps/v8/src/snapshot/deserializer.cc

Lines 436 to 437 in 6bbc559

    
           uint32_t store_index = 
        
               typed_array.GetExternalBackingStoreRefForDeserialization();

might be bogus. Can you open a separate issue for this bug, and mention it in the tracking issue (#44014) ? Thanks! I'll be closing this issue since the bug it references should now be fixed by https://chromium-review.googlesource.com/c/v8/v8/+/3793525.

goloveychuk · 2022-08-02T19:59:32Z

Not able to reproduce in current master

Mesteery added build Issues and PRs related to build files or the CI. macos Issues and PRs related to the macOS platform / OSX. snapshot Issues and PRs related to the startup snapshot labels Nov 17, 2021

caijw mentioned this issue Nov 17, 2021

bootstrap: implement run-time user-land snapshots via --build-snapshot and --snapshot-blob #38905

Closed

joyeecheung mentioned this issue Jul 29, 2022

Tracking issue: support of builtins and V8 issues in run-time user-land snapshots #44014

Open

10 tasks

joyeecheung closed this as completed Aug 2, 2022

joyeecheung mentioned this issue Jan 18, 2023

src: make BuiltinLoader threadsafe and non-global #45942

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

snapshot cause EXC_BAD_ACCESS #40832

snapshot cause EXC_BAD_ACCESS #40832

caijw commented Nov 17, 2021 •

edited

Loading

targos commented Nov 21, 2021

caijw commented Nov 22, 2021

joyeecheung commented Mar 28, 2022 •

edited

Loading

joyeecheung commented Jun 10, 2022 •

edited

Loading

goloveychuk commented Jun 14, 2022 •

edited

Loading

joyeecheung commented Aug 2, 2022

goloveychuk commented Aug 2, 2022

snapshot cause EXC_BAD_ACCESS #40832

snapshot cause EXC_BAD_ACCESS #40832

Comments

caijw commented Nov 17, 2021 • edited Loading

Version

Platform

Subsystem

What steps will reproduce the bug?

How often does it reproduce? Is there a required condition?

What is the expected behavior?

What do you see instead?

Additional information

targos commented Nov 21, 2021

caijw commented Nov 22, 2021

joyeecheung commented Mar 28, 2022 • edited Loading

joyeecheung commented Jun 10, 2022 • edited Loading

goloveychuk commented Jun 14, 2022 • edited Loading

joyeecheung commented Aug 2, 2022

goloveychuk commented Aug 2, 2022

caijw commented Nov 17, 2021 •

edited

Loading

joyeecheung commented Mar 28, 2022 •

edited

Loading

joyeecheung commented Jun 10, 2022 •

edited

Loading

goloveychuk commented Jun 14, 2022 •

edited

Loading