Is it OK to invoke v8::internal::SlotSet::Iterate from a background thread?

29 views
Skip to first unread message

Irina Yatsenko

unread,
Jul 25, 2019, 8:53:31 PM7/25/19
to v8-dev
The header comment for v8::internal::SlotSet::Iterate says:
  // Iterate over all slots in the set and for each slot invoke the callback.
  // If the callback returns REMOVE_SLOT then the slot is removed from the set.
  // Returns the new number of slots.
  // This method should only be called on the main thread.

However, we are seeing dumps from crashes in GC with the following callstacks on background threads:

0:013> kc
00 v8::internal::MemoryChunk::InYoungGeneration
01 v8::internal::Heap::InYoungGeneration
02 v8::internal::Scavenger::ScavengeObject<v8::internal::FullHeapObjectSlot>
03 v8::internal::Scavenger::CheckAndScavengeObject
04 v8::internal::Scavenger::ScavengePage::<unnamed-tag>::operator()
05 v8::internal::SlotSet::Iterate
06 v8::internal::RememberedSet<v8::internal::OLD_TO_NEW>::Iterate
07 v8::internal::Scavenger::ScavengePage
08 v8::internal::PageScavengingItem::Process
09 v8::internal::ScavengingTask::RunInParallel

V8 crashes because the slots, retrieved by SlotSet::Iterate, point into ranges that have been already marked as FREE_SPACE_TYPE.
Could someone please confirm whether the comment is accurate and could explain the crashes?

Thanks!

Jakob Gruber

unread,
Jul 29, 2019, 1:36:05 AM7/29/19
to v8-...@googlegroups.com, Ulan Degenbaev
--
--
v8-dev mailing list
v8-...@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/22d08655-e425-448d-967f-de20762ad713%40googlegroups.com.

Ulan Degenbaev

unread,
Jul 29, 2019, 6:41:56 AM7/29/19
to Jakob Gruber, Michael Lippautz, Dominik Inführ, v8-dev, Hannes Payer
Hi Irina,

That comment is out-of-date. I uploaded a CL to fix it: https://chromium-review.googlesource.com/c/v8/v8/+/1722563

This particular usage of SlotSet::Iterate in the scavenger is safe because each scavenging thread has an exclusive access to the slot set that it is iterating.
I.e. no other thread accesses the slot set during the iteration. We ensure that by disallowing concurrent sweeping of these pages during iteration: https://chromium-review.googlesource.com/c/v8/v8/+/730603/

> V8 crashes because the slots, retrieved by SlotSet::Iterate, point into ranges that have been already marked as FREE_SPACE_TYPE.

This means we have an old-to-new slot recorded for a dead object. I can see a few ways how this can happen:
1) The application writes to a field of a dead object. The object could have died because of a missing write barrier.
3) There is a race between the store buffer inserting/removing slots and the sweeper removing the slots.

Are there any other maps (besides the free space map) around the broken slots?

Cheers,
Ulan.

Irina Yatsenko

unread,
Aug 7, 2019, 6:35:36 PM8/7/19
to v8-dev
<Ulan> Are there any other maps (besides the free space map) around the broken slots?

In most of the dumps we get the slot pointer lands in the middle of a zeroed out region and crashpad doesn't collect the memory beyond it. But occasionally get lucky, for example (v8 at 63edc02cda79436625d5bc9a9b608857722a56bd):

rax=0000000000000001 rbx=000001e6d6bedc00 rcx=000001e6cc91ad20

rdx=0000135413c43340 rsi=0000000000000000 rdi=0000000000000000

rip=00007fff2f039c9d rsp=00000091ddbfd0a0 rbp=000001e6cd5109b8

 r8=00005fa57213dee1  r9=000001e6cc91ad20 r10=000001e6cc91ae60

r11=0000000000000000 r12=0000135413c43340 r13=0000000000000100

r14=0000000000000660 r15=0000000000000013

iopl=0         nv up ei pl zr na po nc

cs=0033  ss=0000  ds=0000  es=0000  fs=0053  gs=002b             efl=00010246

v8::internal::MemoryChunk::InYoungGeneration+0x2:

00007fff`2f039c9d f6460818        test    byte ptr [rsi+8],18h ds:00000000`00000008=??

 

  code_space 0x4b4de89c0000

  map_space 0x713198180000

  ro_space 0x6fa75d840000

  isolate 0x1e6c98eef90

 

00005fa5`7213de60  ????????`????????

00005fa5`7213de68  00000000`00000000

00005fa5`7213de70  00000000`00000000

00005fa5`7213de78  00000000`00000000

00005fa5`7213de80  00000c64`0b582ac9

00005fa5`7213de88  00006fa7`5d840c21

00005fa5`7213de90  00006fa7`5d840c21 <- what is this? (also in ro_space, lots of references to it across the dump)

00005fa5`7213de98  00005fa5`7213de21

00005fa5`7213dea0  41258000`00000000

00005fa5`7213dea8  00006fa7`5d840139 <- first item in ro_space in this build (I believe): FREE_SPACE_TYPE

00005fa5`7213deb0  00000fb0`00000000 <- size of the free space

00005fa5`7213deb8  00000000`00000000

00005fa5`7213dec0  00000000`00000000

00005fa5`7213dec8  00000000`00000000

00005fa5`7213ded0  00000000`00000000

00005fa5`7213ded8  00000000`00000000

00005fa5`7213dee0  00000000`00000000

00005fa5`7213dee8  00000000`00000000

00005fa5`7213def0  00000000`00000000

00005fa5`7213def8  00000000`00000000

00005fa5`7213df00  00000000`00000000

00005fa5`7213df08  00000000`00000000

00005fa5`7213df10  00000000`00000000

00005fa5`7213df18  00000000`00000000

00005fa5`7213df20  00000000`00000000

00005fa5`7213df28  00000000`00000000

00005fa5`7213df30  00000000`00000000

00005fa5`7213df38  00000000`00000000

00005fa5`7213df40  00000000`00000000

00005fa5`7213df48  00000000`00000000

00005fa5`7213df50  00000000`00000000

00005fa5`7213df58  00000000`00000000

00005fa5`7213df60  00000000`00000000

00005fa5`7213df68  00000000`00000000

00005fa5`7213df70  00000000`00000000

00005fa5`7213df78  00000000`00000000

00005fa5`7213df80  00000000`00000000

00005fa5`7213df88  00000000`00000000

00005fa5`7213df90  00000000`00000000

00005fa5`7213df98  00000000`00000000

00005fa5`7213dfa0  00000000`00000000

00005fa5`7213dfa8  00000000`00000000

00005fa5`7213dfb0  00000000`00000000

00005fa5`7213dfb8  00000000`00000000

00005fa5`7213dfc0  00000000`00000000

00005fa5`7213dfc8  00000000`00000000

00005fa5`7213dfd0  00000000`00000000

00005fa5`7213dfd8  00000000`00000000

00005fa5`7213dfe0  00000000`00000000

00005fa5`7213dfe8  00000000`00000000

00005fa5`7213dff0  00000000`00000000

00005fa5`7213dff8  00000000`00000000

00005fa5`7213e000  00000000`00000000

00005fa5`7213e008  00000000`00000000

00005fa5`7213e010  00000000`00000000

00005fa5`7213e018  00000000`00000000

00005fa5`7213e020  00000000`00000000

00005fa5`7213e028  00000000`00000000

00005fa5`7213e030  00000000`00000000

00005fa5`7213e038  00000000`00000000

00005fa5`7213e040  00000000`00000000

00005fa5`7213e048  00000000`00000000

00005fa5`7213e050  00000000`00000000

00005fa5`7213e058  00000000`00000000

00005fa5`7213e060  ????????`????????

 

In frame 02 00000091`ddbfd0a0 00007fff`2f0400af v8::internal::Scavenger::ScavengeObject<v8::internal::FullHeapObjectSlot>

0:000> dx -r1 p

p                 [Type: v8::internal::FullHeapObjectSlot]

    [+0x000] ptr_             : 0x135413c43340 [Type: unsigned __int64]

 

0:000> dx -r1 object

object                 [Type: v8::internal::HeapObject]

    [+0x000] ptr_             : 0x5fa57213dee1 [Type: unsigned __int64]

 

00001354`13c432b8  ????????`????????

00001354`13c432c0  00001354`13c55619

00001354`13c432c8  0000000f`00000000

00001354`13c432d0  00006fa7`5d840371

00001354`13c432d8  4137270d`00000000

00001354`13c432e0  00004a75`021a18d9

00001354`13c432e8  00006fa7`5d840c21

00001354`13c432f0  00001354`13c47b49

00001354`13c432f8  0000000f`00000000

00001354`13c43300  00004a75`021a18d9

00001354`13c43308  00006fa7`5d840c21

00001354`13c43310  00001354`13c556b1

00001354`13c43318  0000000f`00000000

00001354`13c43320  00006fa7`5d840371

00001354`13c43328  4137270d`00000000

00001354`13c43330  00004a75`021a1979

00001354`13c43338  00006fa7`5d840c21

00001354`13c43340  00000000`00000001 <- "tagged nullptr" written by HeapObjectReference::Update(p, dest);

00001354`13c43348  00000128`00000000

00001354`13c43350  00001e82`f90233b9

00001354`13c43358  00006fa7`5d840c21

00001354`13c43360  00006fa7`5d840c21

00001354`13c43368  00001354`13c47af9

00001354`13c43370  00001354`13c47b21

00001354`13c43378  00006fa7`5d8404d1

00001354`13c43380  00006fa7`5d8404d1

00001354`13c43388  00004a75`021a18d9

00001354`13c43390  00006fa7`5d840c21

00001354`13c43398  00001b18`65a7b9f9

00001354`13c433a0  00000003`00000000

00001354`13c433a8  00004a75`021a18d9

00001354`13c433b0  00006fa7`5d840c21

00001354`13c433b8  00001b18`65a7ba91

00001354`13c433c0  00000003`00000000

00001354`13c433c8  00001e82`f90233b9

00001354`13c433d0  00006fa7`5d840c21

00001354`13c433d8  00006fa7`5d840c21

00001354`13c433e0  00001354`13c47ab9

00001354`13c433e8  00001354`13c47ad9

00001354`13c433f0  00006fa7`5d8404d1

00001354`13c433f8  00006fa7`5d8404d1

00001354`13c43400  00001e82`f90233b9

00001354`13c43408  00006fa7`5d840c21

00001354`13c43410  00006fa7`5d840c21

00001354`13c43418  00000000`00000000

00001354`13c43420  00000000`00000000

00001354`13c43428  00006fa7`5d8404d1

00001354`13c43430  00006fa7`5d8404d1

00001354`13c43438  00004a75`021a18d9

00001354`13c43440  00006fa7`5d840c21

00001354`13c43448  000067cc`bb9f75b9

00001354`13c43450  0000001e`00000000

00001354`13c43458  00004a75`021a18d9

00001354`13c43460  00006fa7`5d840c21

00001354`13c43468  000067cc`bb9f7721

00001354`13c43470  0000001e`00000000

00001354`13c43478  00006fa7`5d840139

00001354`13c43480  000007b8`00000000

00001354`13c43488  00001354`13c42e89

00001354`13c43490  00000002`00000000

00001354`13c43498  00000dc6`ab69dfab

00001354`13c434a0  00000000`00000003

00001354`13c434a8  00006fa7`5d8402d1

00001354`13c434b0  00000002`00000000

00001354`13c434b8  00000000`00000003

00001354`13c434c0  ????????`????????


00006fa7`5d840c20  00006fa7`5d8407b1

00006fa7`5d840c28  00000000`00000000

00006fa7`5d840c30  00006fa7`5d840c61

00006fa7`5d840c38  c0100000`00000000

00006fa7`5d840c40  00006fa7`5d840cb1

00006fa7`5d840c48  fffffffc`00000000

00006fa7`5d840c50  00006fa7`5d8404b1

00006fa7`5d840c58  00000004`00000000

00006fa7`5d840c60  00006fa7`5d840189

00006fa7`5d840c68  19000043`21000006

00006fa7`5d840c70  00000000`084003ff

00006fa7`5d840c78  00006fa7`5d8401d9

00006fa7`5d840c80  00006fa7`5d8401d9

 

00006fa7`5d840760  00006fa7`5d840189

00006fa7`5d840768  19000048`01000000

00006fa7`5d840770  00000000`084003ff

00006fa7`5d840778  00006fa7`5d8401d9

00006fa7`5d840780  00006fa7`5d8401d9

00006fa7`5d840788  00006fa7`5d840259

00006fa7`5d840790  00000000`00000000

00006fa7`5d840798  00006fa7`5d8402c1

00006fa7`5d8407a0  00000000`00000000

00006fa7`5d8407a8  00000000`00000000

00006fa7`5d8407b0  00006fa7`5d840189

00006fa7`5d8407b8  1800007d`14000000

00006fa7`5d8407c0  00000000`004003ff

00006fa7`5d8407c8  00006fa7`5d8401d9

00006fa7`5d8407d0  00006fa7`5d8401d9

00006fa7`5d8407d8  00006fa7`5d840259

00006fa7`5d8407e0  00000000`00000000

00006fa7`5d8407e8  00006fa7`5d8402c1

00006fa7`5d8407f0  00000000`00000000

00006fa7`5d8407f8  00000000`00000000

00006fa7`5d840800  00006fa7`5d840189

00006fa7`5d840808  1800007d`14000000

00006fa7`5d840810  00000000`004003ff

00006fa7`5d840818  00006fa7`5d8401d9

00006fa7`5d840820  00006fa7`5d8401d9

00006fa7`5d840828  00006fa7`5d840259

00006fa7`5d840830  00000000`00000000

00006fa7`5d840838  00006fa7`5d8402c1

00006fa7`5d840840  00000000`00000000

00006fa7`5d840848  00000000`00000000

00006fa7`5d840850  00006fa7`5d840189

00006fa7`5d840858  19000080`14000000

00006fa7`5d840860  00000000`084003ff

00006fa7`5d840868  00006fa7`5d8401d9

00006fa7`5d840870  00006fa7`5d8401d9

00006fa7`5d840878  00006fa7`5d840259

00006fa7`5d840880  00000000`00000000

00006fa7`5d840888  ????????`????????


Any useful?

Reply all
Reply to author
Forward
0 new messages