-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node 6 crash w/ computed properties #14326
Comments
For posterity, here is crash.js: #!/usr/bin/env node
'use strict';
/* eslint-disable no-useless-computed-key */
crashEntry();
process.exit(0);
function crashEntry() {
weirdBootstrap();
const entities = getEntities();
for (let i = 0; i < 10; i += 1) {
console.error('calling csvRows iteration:', i);
csvRows(entities);
}
}
function csvRows(entities) {
for (let i = 0; i < 10; i += 1) {
entityIntervalFn(entities[0], i);
entityIntervalFn(entities[1], i);
}
}
function entityIntervalFn(entity, i) {
const iData = entity.intervalData[i];
const val1 = iData ? iData.key1 : null;
const result = {
['cruft']: 'foo',
val1,
};
console.log({ i, iData });
result.key3 = 1;
}
function getEntities() {
return [{
intervalData: [
null,
{ key1: 1,
key2: undefined },
]
}, {
intervalData: [
null,
{ key1: 1,
key2: undefined },
]
}];
}
function weirdBootstrap() {
return {
key1: 0.7,
key2: undefined,
};
} |
And for posterity, stack trace with Node.js v6.11.1 (from https://circleci.com/gh/gotrevor/LogOfUndefined/14):
|
So I just checked and this fails all the way back to Node v6.0.0, leaving me to believe that this is likely a problem with V8 /cc @nodejs/v8 |
With a debug build:
Stack trace in gdb:
|
I tracked this down to a TurboFan issue. The function is sent to TurboFan because Crankshaft doesn't deal with computed properties but when native context specialization is enabled (the default), TF computes wrong deoptimization data. The function has deoptimization data, just not for that particular safepoint. Looks like "IC propagation bug" wasn't too far off the mark because I'm reasonably confident the bug is in diff --git a/deps/v8/src/compiler/pipeline.cc b/deps/v8/src/compiler/pipeline.cc
index 1d7e967..63a83e8 100644
--- a/deps/v8/src/compiler/pipeline.cc
+++ b/deps/v8/src/compiler/pipeline.cc
@@ -588,13 +588,12 @@ struct InliningPhase {
if (data->info()->is_frame_specializing()) {
AddReducer(data, &graph_reducer, &frame_specialization);
}
if (data->info()->is_deoptimization_enabled()) {
AddReducer(data, &graph_reducer, &global_object_specialization);
}
- AddReducer(data, &graph_reducer, &native_context_specialization);
AddReducer(data, &graph_reducer, &context_specialization);
AddReducer(data, &graph_reducer, &call_reducer);
AddReducer(data, &graph_reducer, &inlining);
graph_reducer.ReduceGraph();
}
}; |
@fhinkel that looks like one of the bugs we had in |
Ping @fhinkel. Is this something that can be fixed easily or should we consider defaulting to |
Sorry, no idea. 51 (Node 6) was cut before I joined the team. |
Fix in #17290 |
Original commit message: [turbofan] Fix missing lazy deopt in object literals. This adds a missing lazy bailout point when defining data properties with computed property names in object literals. The runtime call to Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary bailout ID already exists and is now properly used. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-621816 BUG=chromium:621816 Review-Url: https://codereview.chromium.org/2099133003 Cr-Commit-Position: refs/heads/master@{nodejs#37294} Refs: v8/v8@4af8029 Fixes: nodejs#14326
Original commit message: [turbofan] Fix missing lazy deopt in object literals. This adds a missing lazy bailout point when defining data properties with computed property names in object literals. The runtime call to Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary bailout ID already exists and is now properly used. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-621816 BUG=chromium:621816 Review-Url: https://codereview.chromium.org/2099133003 Cr-Commit-Position: refs/heads/master@{#37294} Refs: v8/v8@4af8029 PR-URL: #17290 Fixes: #14326 Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Fix has landed in 6.x-staging and will be released in 6.12.1 |
Original commit message: [turbofan] Fix missing lazy deopt in object literals. This adds a missing lazy bailout point when defining data properties with computed property names in object literals. The runtime call to Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary bailout ID already exists and is now properly used. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-621816 BUG=chromium:621816 Review-Url: https://codereview.chromium.org/2099133003 Cr-Commit-Position: refs/heads/master@{#37294} Refs: v8/v8@4af8029 PR-URL: #17290 Fixes: #14326 Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Versions: 6.x
Platforms: OS X, Linux
Subsystem: unknown
Running this single crash.js file will cause Node 6, across several
different dot releases, to crash with what appears to be some strange,
ephemeral memory corruption:
https://github.com/gotrevor/LogOfUndefined/blob/master/crash.js
This example does not cause a crash in Node 4 or 8. You can see the
matrix of success/failure here:
https://circleci.com/gh/gotrevor/workflows/LogOfUndefined
and the most recent case here:
https://circleci.com/workflow-run/24e3c016-39b3-442f-a0b2-f045c51381b9
Someone knowledgeable about such things wrote:
The text was updated successfully, but these errors were encountered: