Profiler: Application crash in HandleProfilerSignal

[Mihail Slavchev]

Hi guys,

NativeScript developer here. We embed V8 (4.5.103) in android apps and I am trying to diagnose an app crash (SIGILL) when the CPU profiler is enabled. It happens on ARM architecture, both on devices and emulators, and as far as I observed it happens only in stacks with mixed JavaScript, C++ and Java frames. Most often the crash happens in v8::internal::SignalHandler::HandleProfilerSignal but I saw it also to happen a few times in stack unwinding methods. I am not able to reproduce the crash on x86, both on devices and emulators.

I realize it is quite a corner case and I am looking for ways to collect more information so I can diagnose the crash better. Using debug build doesn't give me more information. Are there any build flags or other means so I can collect more data? Any ideas are appreciated.

TIA,

Mihail

[Jochen Eisinger]

Hi!

can you provide some stack traces, or at least some info on where it actually crashes?

best

-jochen

--
--
v8-users mailing list
v8-u...@googlegroups.com
http://groups.google.com/group/v8-users
---
You received this message because you are subscribed to the Google Groups "v8-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mihail Slavchev]

Hi Jochen,

Thank you for the quick response. When I run the app under GDB (V8 is built in debug) I get the following stack:

Thread [1] 14835 [core: 1] (Suspended : Signal : SIGSEGV:Segmentation fault)

0x0

v8::internal::SamplingCircularQueue<v8::internal::TickSampleEventRecord, 992u>::FinishEnqueue() at circular-queue-inl.h:55 0xa405ac14

I think the GDB gets confused and doesn't show all frames. Nevertheless, here is the offending code fragment:

template<typename T, unsigned L>

void SamplingCircularQueue<T, L>::FinishEnqueue() {

  base::Release_Store(&enqueue_pos_->marker, kFull);

  enqueue_pos_ = Next(enqueue_pos_); // <== this is line 55 in circular-queue-inl.h

}

template<typename T, unsigned L>

typename SamplingCircularQueue<T, L>::Entry* SamplingCircularQueue<T, L>::Next(

    Entry* entry) {

  Entry* next = entry + 1;

  if (next == &buffer_[L]) return buffer_;

  return next;

}

I tried to examine "this" in the context and I get the following error message:

buffer_ v8::internal::SamplingCircularQueue<v8::internal::TickSampleEventRecord, 992u>::Entry [992] Error: Multiple errors reported.\ Failed to execute MI command: -var-create - * &(((this)->buffer_)) Error message from debugger back end: Cannot access memory at address 0x13\ Failed to execute MI command: -data-evaluate-expression ((this)->buffer_) Error message from debugger back end: Cannot access memory at address 0x13\ Failed to execute MI command: -var-create - * &(((this)->buffer_)) Error message from debugger back end: Cannot access memory at address 0x13\ Unable to create variable object

Seems like the stack is corrupted. I will give another try tomorrow. Also, if needed I can provide a small repro.

[Mihail Slavchev]

A quick update:

I managed to get bigger call stack on Android 4.4.2 device (the previous one was Android 5.1.1). Here is the stack

Thread [1] 29168 [core: 0] (Suspended : Signal : SIGILL:Illegal instruction)

v8::base::OS::Abort() at platform-posix.cc:228 0x617ac930

V8_Fatal() at logging.cc:116 0x617a820c

v8::internal::SafeStackFrameIterator::Advance() at frames.cc:346 0x610af4d8

v8::internal::SafeStackFrameIterator::SafeStackFrameIterator() at frames.cc:242 0x610aed30

v8::internal::TickSample::Init() at sampler.cc:613 0x613f9424

v8::internal::Sampler::SampleStack() at sampler.cc:717 0x613f9a64

v8::internal::SignalHandler::HandleProfilerSignal() at sampler.cc:488 0x613f8c08

0x400218a8

On Tuesday, December 1, 2015 at 10:32:06 AM UTC+2, Jochen Eisinger wrote:

[Jochen Eisinger]

The V8_Fatal implies that you hit one of the stack frames. I guess the fix added in https://codereview.chromium.org/19775017 was either incomplete or got broken meanwhile.

If you could provide a repro case, that would be great!

best

-jochen

[Alexei Filippov]

Hi Mihail,

The first crash indeed seems to be a corrupt stack, FinishEnqueue doesn't make any calls that could potentially land at 0x0.

The crash at SafeStackFrameIterator::Advance looks like a real one. The repro case would really help.

Thanks,

Alex

[Mihail Slavchev]

You can find a crashing APK at https://github.com/slavchev/android-runtime/tree/cpu-profiler-crash/testapk

To produce this APK I took some time and configured the project to use V8 libraries built in debug mode. You can find the project at https://github.com/slavchev/android-runtime/tree/cpu-profiler-crash

NOTE: because I compiled V8 libraries in debug mode the produced files are HUGE. For example libv8_base.a for ARM is 690MB and the one for x86 is 638MB.

On Tuesday, December 1, 2015 at 10:32:06 AM UTC+2, Jochen Eisinger wrote:

[Jim Acquavella]

I'm seeing this same problem when I start cpu profiling.  In my case, StackFrameIteratorBase::SingletonFor is calling executing this line with a type of 0x21000000.

  StackFrame* result = SingletonFor(type);

SingletonFor returns NULL and DCHECK fails.

[Jim Acquavella]

Also, I can provide a binary with instructions on how to reproduce the problem.  I'm using v8 version 4.5.35.

[Jane Chen]

I am seeing a SIGILL crash too with my embedding app during profiling.  Here's the stack:

Thread [134] (Suspended: Signal 'SIGILL' received. Description: Illegal instruction.)   
    40 v8::base::OS::Abort() /space/projects/v8-git/v8/src/base/platform/platform-posix.cc:229 0x00007ffff64bcd11   
    39 V8_Fatal() /space/projects/v8-git/v8/src/base/logging.cc:116 0x00007ffff64b7901   
    38 v8::internal::SafeStackFrameIterator::Advance() /space/projects/v8-git/v8/src/frames.cc:343 0x00007ffff5f29c39   
    37 v8::internal::SafeStackFrameIterator::SafeStackFrameIterator() /space/projects/v8-git/v8/src/frames.cc:239 0x00007ffff5f29705   
    36 v8::internal::TickSample::Init() /space/projects/v8-git/v8/src/sampler.cc:691 0x00007ffff631138b   
    35 v8::internal::Sampler::SampleStack() /space/projects/v8-git/v8/src/sampler.cc:796 0x00007ffff631114f   
    34 v8::internal::SignalHandler::HandleProfilerSignal() /space/projects/v8-git/v8/src/sampler.cc:562 0x00007ffff631109b   
    33 <signal handler called>()  0x000000311ca0f6d0   
    32 svc::Handle<xdmp::StaticEnv>::Handle() /space/projects/v8upgrade/src/services/Handle.h:143 0x00000000025a3ef4   
    31 xdmp::ItemType::ItemType() /space/projects/v8upgrade/src/XQuery.cpp:20447 0x000000000265bb99   
    30 xdmp::ItemDatatype::ItemDatatype() /space/projects/v8upgrade/src/XQuery.cpp:20686 0x000000000265c43b   
    29 xdmp::constructType() /space/projects/v8upgrade/src/JSEngine.cpp:2824 0x00000000034771ad   
    28 v8::internal::FunctionCallbackArguments::Call() /space/projects/v8-git/v8/src/arguments.cc:33 0x00007ffff5bd3b6c   
    27 v8::internal::HandleApiCallHelper<true>() /space/projects/v8-git/v8/src/builtins.cc:1576 0x00007ffff5c349fa   
    26 v8::internal::Builtin_Impl_HandleApiCallConstruct() /space/projects/v8-git/v8/src/builtins.cc:1609 0x00007ffff5c343a9   
    25 v8::internal::Builtin_HandleApiCallConstruct() /space/projects/v8-git/v8/src/builtins.cc:1605 0x00007ffff5c21820   
    24 <symbol is not available> 0x0000380e93a08b3b   
    23 <symbol is not available> 0x00007ffff05fed00   
    22 <symbol is not available> 0x0000380e93a08a81   
    21 <symbol is not available> 0x00007ffff05fece0   
    20 <symbol is not available> 0x00007ffff05fed58   
    19 <symbol is not available> 0x0000380e93a33ca4   
    18 <symbol is not available> 0x00002c9f540abaf1   
    17 <symbol is not available> 0x0000133cbc037991   
    16 <symbol is not available> 0x0000133cbc0379b9   
    15 <symbol is not available> 0x0000133cbc0379b9   
    14 <symbol is not available> 0x00002c9f540abaf1   
    13 <symbol is not available> 0x0000000100000000   
    12 <symbol is not available> 0x00002955b9704189   
    11 <symbol is not available> 0x0000380e93a33b21   
    10 <symbol is not available> 0x0000000900000000   
    9 <symbol is not available> 0x00002c9f540d7361   
    8 <symbol is not available> 0x00007ffff05fed98   
    7 <symbol is not available> 0x0000380e93a33ecc   
    6 <symbol is not available> 0x0000133cbc037991   
    5 <symbol is not available> 0x0000133cbc01ea49   
    4 <symbol is not available> 0x00002c9f540abaf1   
    3 <symbol is not available> 0x0000380e93a33de1   
    2 <symbol is not available> 0x0000000800000000   
    1 <symbol is not available> 0x0000000000000000   

Same code runs fine without profiling.  v8 version is 4.7.0.  Now trying against 3.24.

[Jane Chen]

3.24 crashes too.  Same JavaScript query, but different stack:

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::SafeStackFrameIterator::Advance()
 3: v8::internal::SafeStackFrameIterator::SafeStackFrameIterator(v8::internal::Isolate*, unsigned char*, unsigned char*, unsigned char*)
 4: v8::internal::TickSample::Init(v8::internal::Isolate*, v8::internal::RegisterState const&)
 5: v8::internal::Sampler::SampleStack(v8::internal::RegisterState const&)
 6: v8::internal::SignalHandler::HandleProfilerSignal(int, siginfo*, void*)
 7: ??
 8: v8::internal::CStrVector(char const*)
 9: v8::internal::Factory::InternalizeUtf8String(char const*)
10: ??
11: v8::Value::Equals(v8::Handle<v8::Value>) const
12: CheckEqualsHelper(char const*, int, char const*, v8::Handle<v8::Value>, char const*, v8::Handle<v8::Value>)
13: v8::Object::SetInternalField(int, v8::Handle<v8::Value>)
14: ??
15: v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&))

[Jane Chen]

This seems only a problem with debug build.  Optimized build works fine.

[Jim Acquavella]

Both my debug and optimized builds are crashing while advancing the SafeStackFrameIterator (via SafeStackFrameIterator::Advance()).  

You received this message because you are subscribed to a topic in the Google Groups "v8-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/v8-users/z8Fz3lsm8iE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to v8-users+u...@googlegroups.com.

[Jim Acquavella]

Any help would be greatly appreciated.  Has anyone from google been able to confirm the problem?  Is it working for others?

[Jim Acquavella]

I just confirmed this happens in my app with the same version as the shipping Chrome, 4.7.80.25.  Not why this is happening for me and not seen by others.  Here's the latest stack crawl:

> v8.dll!v8::base::OS::Abort() Line 825 C++

  v8.dll!V8_Fatal(const char * file, int line, const char * format, ...) Line 117 C++

  v8.dll!v8::internal::StackFrameIteratorBase::SingletonFor(v8::internal::StackFrame::Type type, v8::internal::StackFrame::State * state) Line 115 C++

  v8.dll!v8::internal::SafeStackFrameIterator::AdvanceOneFrame() Line 274 C++

  v8.dll!v8::internal::SafeStackFrameIterator::Advance() Line 327 C++

  v8.dll!v8::internal::SafeStackFrameIterator::SafeStackFrameIterator(v8::internal::Isolate * isolate, unsigned char * fp, unsigned char * sp, unsigned char * js_entry_sp) Line 242 C++

  v8.dll!v8::internal::TickSample::Init(v8::internal::Isolate * isolate, const v8::RegisterState & regs, v8::internal::TickSample::RecordCEntryFrame record_c_entry_frame) Line 695 C++

  v8.dll!v8::internal::Sampler::SampleStack(const v8::RegisterState & state) Line 800 C++

  v8.dll!v8::internal::Sampler::DoSample() Line 854 C++

  v8.dll!v8::internal::ProfilerEventsProcessor::Run() Line 154 C++

  v8.dll!v8::base::Thread::NotifyStartedAndRun() Line 468 C++

  v8.dll!v8::base::ThreadEntry(void * arg) Line 1304 C++

  [External Code]

[Jim Acquavella]

 I've filed this as a bug:  https://bugs.chromium.org/p/v8/issues/detail?id=4705&can=2&q=4705&colspec=ID%20Type%20Status%20Priority%20Owner%20Summary%20HW%20OS%20Component%20Stars

 

-Jim

 

[Jochen Eisinger]

A fix was landed here: https://chromium.googlesource.com/v8/v8.git/+/d11b44ec69c718a9b3b11872e7638c5675abd02c does that resolve your issue?

On Mon, Jan 25, 2016 at 10:47 PM Jim Acquavella <loude...@gmail.com> wrote:

 I've filed this as a bug:  https://bugs.chromium.org/p/v8/issues/detail?id=4705&can=2&q=4705&colspec=ID%20Type%20Status%20Priority%20Owner%20Summary%20HW%20OS%20Component%20Stars

 

-Jim

 

--

[Jim Acquavella]

Added a comment to the bug.  It allows me to profile for 2 seconds, but then crashes:

> v8.dll!v8::internal::StandardFrame::IsArgumentsAdaptorFrame(unsigned char * fp) Line 142 C++

  v8.dll!v8::internal::StackFrame::ComputeType(const v8::internal::StackFrameIteratorBase * iterator, v8::internal::StackFrame::State * state) Line 419 C++

  v8.dll!v8::internal::StackFrame::GetCallerState(v8::internal::StackFrame::State * state) Line 452 C++

  v8.dll!v8::internal::SafeStackFrameIterator::IsValidCaller(v8::internal::StackFrame * frame) Line 319 C++

  v8.dll!v8::internal::SafeStackFrameIterator::AdvanceOneFrame() Line 271 C++

  v8.dll!v8::internal::SafeStackFrameIterator::Advance() Line 339 C++

  v8.dll!v8::internal::TickSample::GetStackSample(v8::internal::Isolate * isolate, const v8::RegisterState & regs, v8::internal::TickSample::RecordCEntryFrame record_c_entry_frame, void * * frames, unsigned __int64 frames_limit, v8::SampleInfo * sample_info) Line 644 C++

  v8.dll!v8::internal::TickSample::Init(v8::internal::Isolate * isolate, const v8::RegisterState & regs, v8::internal::TickSample::RecordCEntryFrame record_c_entry_frame) Line 619 C++

  v8.dll!v8::internal::Sampler::SampleStack(const v8::RegisterState & state) Line 718 C++

  v8.dll!v8::internal::Sampler::DoSample() Line 772 C++

  v8.dll!v8::internal::ProfilerEventsProcessor::Run() Line 152 C++

  v8.dll!v8::base::Thread::NotifyStartedAndRun() Line 459 C++

  v8.dll!v8::base::ThreadEntry(void * arg) Line 1304 C++

  [External Code]

You received this message because you are subscribed to a topic in the Google Groups "v8-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/v8-users/z8Fz3lsm8iE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to v8-users+u...@googlegroups.com.