Invalid iterator dereference in v8::internal::compiler::JSHeapBroker::ProcessFeedbackMapsForElementAccess

[Audrius Butkevicius]

Hi

I'm running my application in debug mode, and I noticed it sometimes it fails with his assert:

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.43.34808\include\vector(280) : Assertion failed: can't dereference out of range vector iterator

...

   3 # `DllMain'::`5'::<lambda_1>::operator() at dllmain.cpp:598 (app+0x371a7cd)
   4 # `DllMain'::`5'::<lambda_1>::<lambda_invoker_cdecl> at dllmain.cpp:614 (app+0x371a668)
   5 # _VCrtDbgReportA at dbgrptt.cpp:391 (app+0x361df8f)
   6 # _CrtDbgReport at dbgrpt.cpp:263 (app+0x35ee779)
   7 # std::_Vector_iterator<std::_Vector_val<std::_Simple_types<std::pair<int,v8::internal::Tagged<v8::internal::HeapObject> > > > >::operator-> in app+0x92054c
   8 # v8::MemorySpan<v8::internal::Handle<v8::internal::Map> >::to_address<std::_Vector_iterator<std::_Vector_val<std::_Simple_types<v8::internal::Handle<v8::internal::Map> > > >,void> in app+0x10e5643
   9 # v8::MemorySpan<v8::internal::Handle<v8::internal::Map> >::MemorySpan<v8::internal::Handle<v8::internal::Map> ><std::_Vector_iterator<std::_Vector_val<std::_Simple_types<v8::internal::Handle<v8::internal::Map> > > >,1> in app+0x10e50c4
  10 # v8::internal::compiler::JSHeapBroker::ProcessFeedbackMapsForElementAccess in app+0x251e77a
  11 # v8::internal::compiler::JSHeapBroker::ReadFeedbackForPropertyAccess in app+0x2520011
  12 # v8::internal::compiler::JSHeapBroker::GetFeedbackForPropertyAccess in app+0x251af78
  13 # v8::internal::maglev::MaglevGraphBuilder::VisitStaInArrayLiteral in app+0x2862834
  14 # v8::internal::maglev::MaglevGraphBuilder::VisitSingleBytecode in app+0x2343e8f
  15 # v8::internal::maglev::MaglevGraphBuilder::BuildBody in app+0x230b567
  16 # v8::internal::maglev::MaglevGraphBuilder::Build in app+0x230b385
  17 # v8::internal::maglev::MaglevCompiler::Compile in app+0x230bd91
  18 # v8::internal::maglev::MaglevCompilationJob::ExecuteJobImpl in app+0xfe89b8
  19 # v8::internal::OptimizedCompilationJob::ExecuteJob in app+0xb0583b
  20 # v8::internal::maglev::MaglevConcurrentDispatcher::JobTask::Run in app+0xfe9c23
  21 # v8::platform::DefaultJobWorker::Run in app+0xd2a949
  22 # v8::platform::DefaultWorkerThreadsTaskRunner::WorkerThread::Run in app+0xd2b1c2
  23 # v8::base::Thread::NotifyStartedAndRun in app+0x681104
  24 # v8::base::OS::StrNCpy in app+0x681e4d
  25 # thread_start<unsigned int (__cdecl*)(void *),1> at thread.cpp:97 (app+0x3622e45)
  26 # BaseThreadInitThunk in KERNEL32+0x17374
  27 # RtlUserThreadStart in ntdll+0x4cc91

It's possible that I'm doing something wrong, but it's not very clear what.

Sadly, this is version 12.9.202, as I still need a static build that uses MSVC.

Any suggestions would be welcome, as to what I'm doing wrong.

Thanks.

[Ben Noordhuis]

Maybe try building with v8_enable_maglev=false. In node, we had maglev
disabled until at least 12.8 because of various crashes.

[Audrius Butkevicius]

I've actually posted stacktraces of other threads on the user list (https://groups.google.com/g/v8-users/c/iaD_4IGqIyI) which hints this is a race condition.

Seems that the code on head hasn't changed around this, so it still might be a bug now, but confirmed, the issue goes away by switching off maglev.

[Audrius Butkevicius]

Seems that I've hit the same case without Maglev:

==== C stack trace ===============================

        std::_Vector_iterator<std::_Vector_val<std::_Simple_types<std::pair<int,v8::internal::Tagged<v8::internal::HeapObject> > > > >::operator-> [0x00007FFB8C978EB1+369]
        v8::MemorySpan<v8::internal::Handle<v8::internal::Map> >::to_address<std::_Vector_iterator<std::_Vector_val<std::_Simple_types<v8::internal::Handle<v8::internal::Map> > > >,void> [0x00007FFB8D13EC83+19]
        v8::MemorySpan<v8::internal::Handle<v8::internal::Map> >::MemorySpan<v8::internal::Handle<v8::internal::Map> ><std::_Vector_iterator<std::_Vector_val<std::_Simple_types<v8::internal::Handle<v8::internal::Map> > > >,1> [0x00007FFB8D13E704+52]
        v8::internal::compiler::JSHeapBroker::ProcessFeedbackMapsForElementAccess [0x00007FFB8E57704A+714]
        v8::internal::compiler::JSHeapBroker::ReadFeedbackForPropertyAccess [0x00007FFB8E5788E1+1841]
        v8::internal::compiler::JSHeapBroker::GetFeedbackForPropertyAccess [0x00007FFB8E573848+88]
        v8::internal::compiler::JSNativeContextSpecialization::ReducePropertyAccess [0x00007FFB8EB83319+681]
        v8::internal::compiler::JSNativeContextSpecialization::ReduceJSSetKeyedProperty [0x00007FFB8EB7EF21+321]
        v8::internal::compiler::JSNativeContextSpecialization::Reduce [0x00007FFB8EB73019+649]
        v8::internal::compiler::Reducer::Reduce [0x00007FFB8E93D1EC+60]
        v8::internal::compiler::GraphReducer::Reduce [0x00007FFB8E93CEBE+190]
        v8::internal::compiler::GraphReducer::ReduceTop [0x00007FFB8E93D708+600]
        v8::internal::compiler::GraphReducer::ReduceNode [0x00007FFB8E93D32E+174]
        v8::internal::compiler::GraphReducer::ReduceGraph [0x00007FFB8E93D278+40]
        v8::internal::compiler::InliningPhase::Run [0x00007FFB8E4E7CBE+1950]
        v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::InliningPhase> [0x00007FFB8E49B71B+123]
        v8::internal::compiler::PipelineImpl::CreateGraph [0x00007FFB8E4D03C8+168]
        v8::internal::compiler::PipelineCompilationJob::ExecuteJobImpl [0x00007FFB8E4D205C+428]
        v8::internal::OptimizedCompilationJob::ExecuteJob [0x00007FFB8CB5E11B+299]
        v8::internal::OptimizingCompileDispatcher::CompileNext [0x00007FFB8D0390A3+67]
        v8::internal::OptimizingCompileDispatcher::CompileTask::Run [0x00007FFB8D03A2F9+633]
        v8::platform::DefaultJobWorker::Run [0x00007FFB8CD835F9+185]
        v8::platform::DefaultWorkerThreadsTaskRunner::WorkerThread::Run [0x00007FFB8CD83E72+194]
        v8::base::Thread::NotifyStartedAndRun [0x00007FFB8C6D8904+52]
        v8::base::OS::StrNCpy [0x00007FFB8C6D964D+205]
        thread_start<unsigned int (__cdecl*)(void *),1> [0x00007FFB8F67B6B5+165] (minkernel\crts\ucrt\src\appcrt\startup\thread.cpp:97)
        BaseThreadInitThunk [0x00007FFCBDDA7374+20]
        RtlUserThreadStart [0x00007FFCBFDBCC91+33]

I suspect this thread is what triggered it:

   0 # NtWaitForAlertByThreadId in ntdll+0xa0f24
   1 # RtlAcquireSRWLockExclusive in ntdll+0x29205
   2 # v8::base::SharedMutex::LockExclusive in app+0x59258f
   3 # `v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2>::operator() in app+0xea0a99
   4 # v8::internal::LocalHeap::ParkAndExecuteCallback<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> > in app+0xe9f7c8
   5 # `v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1>::operator() in app+0xea0749
   6 # heap::base::Stack::SetMarkerAndCallbackImpl<`v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1> > in app+0xe9f99b
   7 # PushAllRegistersAndIterateStack in app+0xf65abd
   8 # heap::base::Stack::TrampolineCallbackHelper in app+0x7f3737
   9 # heap::base::Stack::SetMarkerAndCallback<`v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1> > in app+0xe9f8d4
  10 # v8::internal::LocalHeap::ExecuteWithStackMarker<`v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1> > in app+0xe9edfe
  11 # v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> > in app+0xe9ec55
  12 # v8::internal::ParkedSharedMutexGuardIf<0,0>::ParkedSharedMutexGuardIf<0,0> in app+0xea01dd
  13 # v8::internal::ParkedSharedMutexGuardIf<0,0>::ParkedSharedMutexGuardIf<0,0> in app+0xea022a
  14 # v8::internal::MapUpdater::ReconfigureToDataField in app+0xeaaa4d
  15 # v8::internal::Map::Update in app+0x80f4c7
  16 # v8::internal::Map::TransitionToDataProperty in app+0x80cf20
  17 # v8::internal::LookupIterator::PrepareTransitionToDataProperty in app+0x9d3cc5
  18 # v8::internal::Object::TransitionAndWriteDataProperty in app+0x642167
  19 # v8::internal::Object::AddDataProperty in app+0x5fc92e
  20 # v8::internal::JSObject::DefineOwnPropertyIgnoreAttributes in app+0x754a99
  21 # v8::internal::JSObject::DefineOwnPropertyIgnoreAttributes in app+0x754b5e
  22 # v8::internal::JSObject::SetOwnPropertyIgnoreAttributes in app+0x778e02
  23 # v8::internal::CastTraits<v8::internal::ObjectBoilerplateDescription>::AllowFrom in app+0x1fd8252
  24 # v8::internal::CastTraits<v8::internal::ObjectBoilerplateDescription>::AllowFrom in app+0x1fd6f4a
  25 # v8::internal::Cast<v8::internal::ObjectBoilerplateDescription,v8::internal::Object> in app+0x1fd6c66
  26 # v8::internal::Cast<v8::internal::ObjectBoilerplateDescription,v8::internal::Object> in app+0x1fd65d7
  27 # v8::internal::AllocationSiteUsageContext::ShouldCreateMemento in app+0x1fe14a8
  28 # v8::internal::Runtime_CreateObjectLiteral in app+0x1fd93b4

[Nikos Papaspyrou]

The problem arises at this point, when possible_transition_targets is empty.

It seems that the following program runs successfully with clang, both in Linux and Windows.

However, it fails with MSVC, exactly with the assertion failure that you're getting.

#include <cassert>

#include <vector>

int main() {
  std::vector < int> empty;
  assert(nullptr == empty.begin().operator->());

}

I will investigate some more and come back with a fix.

Thank you for reporting!

[Audrius Butkevicius]

Presumably this:

https://source.chromium.org/chromium/chromium/src/+/main:v8/include/v8-memory-span.h;l=124;drc=d350ca68909171a740a8e33c43fea86ed0574a05

just needs to be:

: data_(first == last ? nullptr : to_address(first)), size_(last - first) {}

?

[Nikos Papaspyrou]

That would also work.
My fix is here: https://chromium-review.googlesource.com/c/v8/v8/+/6683301

For earlier V8 versions, I'm afraid you will need to backpatch it.

--
--
v8-dev mailing list
v8-...@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to a topic in the Google Groups "v8-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/v8-dev/OyoFIL91POA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to v8-dev+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/v8-dev/a7ddc856-1f56-498f-a267-3c0b9cee5deen%40googlegroups.com.

--

Nikolaos Papaspyrou

Software Engineer

niko...@google.com

Google Germany GmbH

Erika-Mann-Straße 33 80636 München

Geschäftsführer: Paul Manicle, Liana Sebastian

Registergericht und -nummer: Hamburg, HRB 86891

Sitz der Gesellschaft: Hamburg

Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde. 

     

This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.