Double Proxy resolve/reject causes segfault

[Bogdan Padalko]

Hi!

While working on upgrading php-v8 extension from 6.5.144 to 6.6.275 I find a strange issue: when promise in non-pending stage get resolved/rejected, application fails with segfault. While it's an edge case, it still possible in userland and luckily it was covered by php-v8 unit tests.
As v8 API says that calling resolve/reject on a promise in non-pending state should have no effect, I find this segfault a bit strange. Could it be some regression or so?

Here's minimal example to reproduce the issue: hello_world.cpp

#include <v8.h>
#include <libplatform/libplatform.h>

#include <stdlib.h>
#include <string.h>

using namespace v8;

int main(int argc, char* argv[]) {
  // Initialize V8.
  //v8::V8::InitializeICU();

  std::unique_ptr<v8::Platform> platform = v8::platform::NewDefaultPlatform();
  v8::V8::InitializePlatform(platform.get());

  V8::Initialize();

  v8::Isolate::CreateParams create_params;
  create_params.array_buffer_allocator = v8::ArrayBuffer::Allocator::NewDefaultAllocator();

  // Create a new Isolate and make it the current one.
  Isolate* isolate = v8::Isolate::New(create_params);

  v8::Persistent<v8::String> test;

  {
    Isolate::Scope isolate_scope(isolate);

    // Create a stack-allocated handle scope.
    HandleScope handle_scope(isolate);

    // Create a new context.
    Local<Context> context = Context::New(isolate);

    // Enter the context for compiling and running the hello world script.
    Context::Scope context_scope(context);

    Local<String> local_value = String::NewFromUtf8(isolate, "test");

    v8::MaybeLocal<v8::Promise::Resolver> maybe_local_resolver = v8::Promise::Resolver::New(context);
    v8::Local<v8::Promise::Resolver> local_resolver = maybe_local_resolver.ToLocalChecked();

    local_resolver->Resolve(context, local_value);
    local_resolver->Resolve(context, local_value);
  }

  // Dispose the isolate and tear down V8.
  isolate->Dispose();
  V8::Dispose();
  V8::ShutdownPlatform();

  return 0;
}

Build on macOS with

ROOT=/usr/local/opt/v8@6.6
LIB_DIR=$ROOT/lib/

SRC_DIR=$ROOT
INCLUDE_DIR=$ROOT/include

g++ hello_world.cpp -o hello_world \
 -Wno-unused-result \
 -g \
 -O2 \
 -std=c++14 \
 -I$SRC_DIR \
 -I$INCLUDE_DIR \
 -L$LIB_DIR \
 -lv8_libbase \
 -lv8_libplatform \
 -lv8 \
 -lpthread

install_name_tool -add_rpath $LIB_DIR hello_world

And fails with

$ ./hello_world
Received signal 11 SEGV_MAPERR 00000000000a

==== C stack trace ===============================

 [0x000106d8ff14]
 [0x7fff6ca6bf5a]
 [0x0001072d0984]
 [0x000106de95e8]
 [0x000106d79bb2]
 [0x7fff6c7ea115]
 [0x000000000001]
[end of stack trace]
Segmentation fault: 11

Same issue on linux - https://travis-ci.org/pinepain/php-v8/jobs/344550482 (scroll to the bottom).

I would really appreciate any help here as I'm not quite sure whether it's an issue on my side or some regression/bug in v8.

Regards,
Bogdan

[Sathya Gunasekaran]

Thanks for the report. Fix out for review: https://chromium-review.googlesource.com/c/v8/v8/+/932968

--
--
v8-users mailing list
v8-u...@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups "v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bogdan Padalko]

Thanks! The issue is fixed.

To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+u...@googlegroups.com.