FATAL ERROR: v8::Object::GetAlignedPointerFromInternalField() Internal field out of bounds

[romainmenke]

Version

v20.2.0

Platform

Darwin foo.local 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:01:02 PST 2023; root:xnu-8796.101.5~3/RELEASE_ARM64_T8112 arm64

Subsystem

No response

What steps will reproduce the bug?

No idea.
This is code I can not share and I don't understand the issue, so I can't create a reproduction.

I am fully aware how useful it is to have reproducible bug, but I really can not provide a reproduction in this case.

I will check internally if the code in question can be made open source so that I can share it.

How often does it reproduce? Is there a required condition?

Intermittent.
Some runs work, others do not.

What is the expected behavior? Why is that the expected behavior?

No Fatal error, segfaults or bus error

What do you see instead?

These errors never happened before on node 18 or lower :

/Users/foo/.volta/tools/image/npm/9.6.7/bin/npm: line 10: 41074 Bus error: 10           node "$basedir/npm-cli.js" "$@"

/Users/foo/.volta/tools/image/npm/9.6.7/bin/npm: line 10: 41225 Segmentation fault: 11  node "$basedir/npm-cli.js" "$@"

FATAL ERROR: v8::Object::GetAlignedPointerFromInternalField() Internal field out of bounds
 1: 0x1048b214c node::Abort() [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
 2: 0x1048b2238 node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
 3: 0x104a4dfe8 v8::InternalFieldOK(v8::internal::Handle<v8::internal::JSReceiver>, int, char const*) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
 4: 0x104a4e134 v8::Object::SlowGetAlignedPointerFromInternalField(int) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
 5: 0x1049585fc node::wasi::WASI::WasiFunction<unsigned int (*)(node::wasi::WASI&, node::wasi::WasmMemory, unsigned int, unsigned int, unsigned int, unsigned int), &node::wasi::WASI::FdWrite(node::wasi::WASI&, node::wasi::WasmMemory, unsigned int, unsigned int, unsigned int, unsigned int), unsigned int, unsigned int, unsigned int, unsigned int, unsigned int>::FastCallback(v8::Local<v8::Object>, unsigned int, unsigned int, unsigned int, unsigned int, v8::FastApiCallbackOptions&) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
 6: 0x16741f29c9cc 
 7: 0x16741f201e0c 
 8: 0x16741f21af40 
 9: 0x16741f200e90 
10: 0x16741f200ca8 
11: 0x16741f202344 
12: 0x16741f203c44 
13: 0x16741f1ff80c 
14: 0x16741f1fc608 
15: 0x16741f0c7a60 
16: 0x16741f0c6444 
17: 0x16741f0c6314 
18: 0x16741f0bf884 
19: 0x16741f0bf708 
20: 0x16741f0bf628 
21: 0x16741f0bef50 
22: 0x10531cf10 Builtins_GenericJSToWasmWrapper [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
23: 0x10a2dcb2c 
24: 0x10a38ef24 
25: 0x1052d3210 Builtins_AsyncFunctionAwaitResolveClosure [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
26: 0x105380fb8 Builtins_PromiseFulfillReactionJob [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
27: 0x1052c2b94 Builtins_RunMicrotasks [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
28: 0x10529a3f4 Builtins_JSRunMicrotasksEntry [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
29: 0x104b71124 v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
30: 0x104b71610 v8::internal::(anonymous namespace)::InvokeWithTryCatch(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
31: 0x104b717ec v8::internal::Execution::TryRunMicrotasks(v8::internal::Isolate*, v8::internal::MicrotaskQueue*) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
32: 0x104b988a8 v8::internal::MicrotaskQueue::RunMicrotasks(v8::internal::Isolate*) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
33: 0x104b99044 v8::internal::MicrotaskQueue::PerformCheckpoint(v8::Isolate*) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
34: 0x1047e8c64 node::InternalCallbackScope::Close() [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
35: 0x1047e87c4 node::InternalCallbackScope::~InternalCallbackScope() [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
36: 0x1049114e8 node::PerIsolatePlatformData::RunForegroundTask(std::__1::unique_ptr<v8::Task, std::__1::default_delete<v8::Task>>) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
37: 0x1049101fc node::PerIsolatePlatformData::FlushForegroundTasksInternal() [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
38: 0x10527a618 uv__async_io [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
39: 0x10528cbcc uv__io_poll [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
40: 0x10527aae8 uv_run [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
41: 0x1047e9754 node::SpinEventLoopInternal(node::Environment*) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
42: 0x1048f0124 node::NodeMainInstance::Run() [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
43: 0x10487e44c node::LoadSnapshotDataAndRun(node::SnapshotData const**, node::InitializationResultImpl const*) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
44: 0x10487e76c node::Start(int, char**) [/Users/foo/.volta/tools/image/node/20.2.0/bin/node]
45: 0x19b3e3f28 start [/usr/lib/dyld]
/Users/foo/.volta/tools/image/npm/9.6.7/bin/npm: line 10: 41361 Abort trap: 6           node "$basedir/npm-cli.js" "$@"

Additional information

This is related to WASI

[bnoordhuis]

That likely originates from here (aside: that reinterpret_cast should probably be static_cast):

node/src/node_wasi.cc

Line 246 in 92a938b

WASI* wasi = reinterpret_cast<WASI*>(BaseObject::FromJSObject(receiver));

Which in turn calls this method:

node/src/base_object-inl.h

Lines 93 to 98 in 92a938b

	BaseObject* BaseObject::FromJSObject(v8::Local<v8::Value> value) {
	v8::Local<v8::Object> obj = value.As<v8::Object>();
	DCHECK_GE(obj->InternalFieldCount(), BaseObject::kInternalFieldCount);
	return static_cast<BaseObject*>(
	obj->GetAlignedPointerFromInternalField(BaseObject::kSlot));
	}

Is it an option for you to apply this patch and build from source? Please try repeatedly to see if the slot count is always the same or not.

diff --git a/src/base_object-inl.h b/src/base_object-inl.h
index feaeab306ac..4f2895b4d3e 100644
--- a/src/base_object-inl.h
+++ b/src/base_object-inl.h
@@ -92,7 +92,7 @@ void BaseObject::SetInternalFields(v8::Local<v8::Object> object, void* slot) {

 BaseObject* BaseObject::FromJSObject(v8::Local<v8::Value> value) {
   v8::Local<v8::Object> obj = value.As<v8::Object>();
-  DCHECK_GE(obj->InternalFieldCount(), BaseObject::kInternalFieldCount);
+  CHECK_GE(obj->InternalFieldCount(), BaseObject::kInternalFieldCount);
   return static_cast<BaseObject*>(
       obj->GetAlignedPointerFromInternalField(BaseObject::kSlot));
 }

[fd]

@bnoordhuis So, after doing a debug build from source with the patch. The process seems to consistently crash (when it crashes at all) at that location.

We also tried running it through lldb, the program halted at the following stack trace. I'm not sure if it is related.

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x625ebcbf088)
  * frame #0: 0x0000000100b043ec node`Builtins_InterpreterEntryTrampoline + 268
    frame #1: 0x00000001102331c4
    frame #2: 0x0000000100b3b210 node`Builtins_AsyncFunctionAwaitResolveClosure + 80
    frame #3: 0x0000000100be8fb8 node`Builtins_PromiseFulfillReactionJob + 56
    frame #4: 0x0000000100b2ab94 node`Builtins_RunMicrotasks + 596
    frame #5: 0x0000000100b023f4 node`Builtins_JSRunMicrotasksEntry + 148
    frame #6: 0x00000001003cc9f0 node`v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous namespace)::InvokeParams const&) [inlined] v8::internal::GeneratedCode<unsigned long, unsigned long, v8::internal::MicrotaskQueue*>::Call(this=<unavailable>, args=<unavailable>, args=<unavailable>) at simulator.h:154:12 [opt]
    frame #7: 0x00000001003cc9ec node`v8::internal::(anonymous namespace)::Invoke(isolate=0x0000000108008000, params=0x000000016fdf6760)::InvokeParams const&) at execution.cc:443:33 [opt]
    frame #8: 0x00000001003cd330 node`v8::internal::(anonymous namespace)::InvokeWithTryCatch(isolate=0x0000000108008000, params=0x000000016fdf6760)::InvokeParams const&) at execution.cc:490:20 [opt]
    frame #9: 0x00000001003cd51c node`v8::internal::Execution::TryRunMicrotasks(isolate=<unavailable>, microtask_queue=<unavailable>) at execution.cc:601:10 [opt]
    frame #10: 0x00000001003f4c44 node`v8::internal::MicrotaskQueue::RunMicrotasks(this=0x00006000029140e0, isolate=0x0000000108008000) at microtask-queue.cc:174:22 [opt]
    frame #11: 0x00000001003f5430 node`v8::internal::MicrotaskQueue::PerformCheckpoint(v8::Isolate*) [inlined] v8::internal::MicrotaskQueue::PerformCheckpointInternal(this=0x00006000029140e0, v8_isolate=0x0000000108008000) at microtask-queue.cc:126:3 [opt]
    frame #12: 0x00000001003f53f4 node`v8::internal::MicrotaskQueue::PerformCheckpoint(this=0x00006000029140e0, isolate=0x0000000108008000) at microtask-queue.h:46:5 [opt]
    frame #13: 0x0000000100004ca4 node`node::InternalCallbackScope::Close(this=0x000000016fdf6950) at callback.cc:137:35 [opt]
    frame #14: 0x0000000100004874 node`node::InternalCallbackScope::~InternalCallbackScope() [inlined] node::InternalCallbackScope::~InternalCallbackScope(this=0x000000016fdf6950) at callback.cc:92:3 [opt]
    frame #15: 0x0000000100004870 node`node::InternalCallbackScope::~InternalCallbackScope(this=0x000000016fdf6950) at callback.cc:91:49 [opt]
    frame #16: 0x0000000100131458 node`node::PerIsolatePlatformData::RunForegroundTask(this=0x0000000105e05dc8, task=v8::Task @ 0x0000600000c507b0) at node_platform.cc:426:3 [opt]
    frame #17: 0x0000000100130330 node`node::PerIsolatePlatformData::FlushForegroundTasksInternal(this=0x0000000105e05dc8) at node_platform.cc:494:5 [opt]
    frame #18: 0x0000000100ae04f4 node`uv__async_io(loop=0x00000001040cc510, w=<unavailable>, events=<unavailable>) at async.c:163:5 [opt]
    frame #19: 0x0000000100af3638 node`uv__io_poll(loop=0x00000001040cc510, timeout=0) at kqueue.c:390:9 [opt]
    frame #20: 0x0000000100ae0e7c node`uv_run(loop=0x00000001040cc510, mode=UV_RUN_DEFAULT) at core.c:406:5 [opt]
    frame #21: 0x000000010000585c node`node::SpinEventLoopInternal(env=0x0000000107825600) at embed_helpers.cc:41:7 [opt]
    frame #22: 0x000000010010d6f8 node`node::NodeMainInstance::Run() at node_main_instance.cc:102:9 [opt]
    frame #23: 0x000000010010d684 node`node::NodeMainInstance::Run(this=<unavailable>) at node_main_instance.cc:84:3 [opt]
    frame #24: 0x0000000100092b0c node`node::LoadSnapshotDataAndRun(snapshot_data_ptr=<unavailable>, result=0x0000600002908070) at node.cc:1208:29 [opt]
    frame #25: 0x0000000100092d60 node`node::Start(int, char**) [inlined] node::StartInternal(argc=<unavailable>, argv=<unavailable>) at node.cc:1259:10 [opt]
    frame #26: 0x0000000100092c78 node`node::Start(argc=<unavailable>, argv=<unavailable>) at node.cc:1266:27 [opt]
    frame #27: 0x00000001a5c1ff28 dyld`start + 2236

[bnoordhuis]

@fd what message does the assertion print? Is it always the same one?