Issue 11560 in v8: Memory leak/crash with "invalid array length" when using generator function
699 views
Skip to first unread message
khafr… via monorail
Mar 14, 2021, 1:46:56 AM3/14/21
to v8-re...@googlegroups.com
Status: Untriaged
Owner: ----
Type: Bug
New issue 11560 by khafr...@gmail.com: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560
Version: NodeJS v15.10.0/v15.11.0 (potentially lower), v8 8.6.395.17-node.27
OS: Windows 10 Home 19041.804
Architecture: x64
What steps will reproduce the problem?
1. Run this sample code with nodejs:
function* chunk(arr, step) {
for (let i = 0; i += step; i < arr.length)
yield arr.slice(i, i + step);
}
const arr = Array(6452);
const b = [...chunk(arr, 250)];
2. "invalid array length" issue
What is the expected output?
- if you log the value of b it should be undefined[][] (250 cells in each array except the last)
What do you see instead?
<--- Last few GCs --->
[10144:000002C2CD58F160] 37516 ms: Scavenge 3997.2 (4068.5) -> 3987.7 (4071.5) MB, 11.8 / 0.0 ms (average mu = 0.315, current mu = 0.178) allocation failure
[10144:000002C2CD58F160] 37535 ms: Scavenge 4000.2 (4071.5) -> 3990.6 (4074.5) MB, 12.0 / 0.0 ms (average mu = 0.315, current mu = 0.178) allocation failure
[10144:000002C2CD58F160] 37555 ms: Scavenge 4003.1 (4074.5) -> 3993.6 (4077.5) MB, 11.9 / 0.0 ms (average mu = 0.315, current mu = 0.178) allocation failure
<--- JS stacktrace --->
FATAL ERROR: invalid array length Allocation failed - JavaScript heap out of memory
1: 00007FF69D494BFF napi_wrap+159807
2: 00007FF69D428A36 v8::internal::MicrotaskQueue::GetMicrotasksScopeDepth+67174
3: 00007FF69D429936 node::OnFatalError+294
4: 00007FF69DD2CA3E v8::Isolate::ReportExternalAllocationLimitReached+94
5: 00007FF69DD1110D v8::SharedArrayBuffer::Externalize+781
6: 00007FF69DBAA14C v8::internal::Heap::EphemeronKeyWriteBarrierFromCode+1468
7: 00007FF69D8EE19C v8::internal::interpreter::JumpTableTargetOffsets::iterator::operator=+4348
8: 00007FF69DDB3D4D v8::internal::SetupIsolateDelegate::SetupHeap+456749
9: 00007FF69DD8AA02 v8::internal::SetupIsolateDelegate::SetupHeap+287970
10: 00007FF69DE42E41 v8::internal::SetupIsolateDelegate::SetupHeap+1042721
11: 00007FF69DD4C6B2 v8::internal::SetupIsolateDelegate::SetupHeap+33170
12: 00007FF69DD7AE9F v8::internal::SetupIsolateDelegate::SetupHeap+223615
13: 00007FF69DD4A36E v8::internal::SetupIsolateDelegate::SetupHeap+24142
14: 00007FF69DD49F5C v8::internal::SetupIsolateDelegate::SetupHeap+23100
15: 00007FF69DC13BBD v8::internal::Execution::CallWasm+1645
16: 00007FF69DC13D8B v8::internal::Execution::CallWasm+2107
17: 00007FF69DC14765 v8::internal::Execution::TryCall+213
18: 00007FF69D9CA065 v8::internal::SerializeStackTraceFrame+10437
19: 00007FF69D9CBE16 v8::internal::SourceTextModule::GetImportMeta+2470
20: 00007FF69D9C99A6 v8::internal::SerializeStackTraceFrame+8710
21: 00007FF69DA04D13 v8::internal::JSPromise::status+1955
22: 00007FF69DD10073 v8::Module::Evaluate+611
23: 00007FF69D45E308 node::Stop+7512
24: 00007FF69DCD8ACF v8::internal::Builtins::builtin_handle+316399
25: 00007FF69DCD8054 v8::internal::Builtins::builtin_handle+313716
26: 00007FF69DCD8355 v8::internal::Builtins::builtin_handle+314485
27: 00007FF69DCD8193 v8::internal::Builtins::builtin_handle+314035
28: 00007FF69DDB3E2D v8::internal::SetupIsolateDelegate::SetupHeap+456973
29: 00007FF69DD4C6B2 v8::internal::SetupIsolateDelegate::SetupHeap+33170
30: 00007FF69DD78B2F v8::internal::SetupIsolateDelegate::SetupHeap+214543
31: 00007FF69DE003DE v8::internal::SetupIsolateDelegate::SetupHeap+769726
32: 00007FF69DD6B94F v8::internal::SetupIsolateDelegate::SetupHeap+160815
33: 00007FF69DD4A25C v8::internal::SetupIsolateDelegate::SetupHeap+23868
34: 00007FF69DC13C7C v8::internal::Execution::CallWasm+1836
35: 00007FF69DC13D8B v8::internal::Execution::CallWasm+2107
36: 00007FF69DC1480A v8::internal::Execution::TryCall+378
37: 00007FF69DBEF5B5 v8::internal::MicrotaskQueue::RunMicrotasks+501
38: 00007FF69DBEF310 v8::internal::MicrotaskQueue::PerformCheckpoint+32
39: 00007FF69D4BBF04 node::CallbackScope::~CallbackScope+692
40: 00007FF69D4BBCBE node::CallbackScope::~CallbackScope+110
41: 00007FF69D411567 v8::base::CPU::has_sse+28375
42: 00007FF69D4F0267 uv_timer_stop+775
43: 00007FF69D4ECA6B uv_async_send+331
44: 00007FF69D4EC1FC uv_loop_init+1292
45: 00007FF69D4EC39A uv_run+202
46: 00007FF69D4BB6C4 node::SpinEventLoop+308
47: 00007FF69D3E34B7 EVP_CIPHER_CTX_buf_noconst+51927
48: 00007FF69D45BB9B node::Start+283
49: 00007FF69D28832C RC4_options+346668
50: 00007FF69E2C683C v8::internal::compiler::RepresentationChanger::Uint32OverflowOperatorFor+153276
51: 00007FFB8FD17034 BaseThreadInitThunk+20
52: 00007FFB90D5D241 RtlUserThreadStart+33
Please use labels and text to provide additional information.
- The array length came from a real use case
- somewhat similar? https://bugs.chromium.org/p/v8/issues/detail?id=10031
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
Owner: ----
Type: Bug
New issue 11560 by khafr...@gmail.com: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560
Version: NodeJS v15.10.0/v15.11.0 (potentially lower), v8 8.6.395.17-node.27
OS: Windows 10 Home 19041.804
Architecture: x64
What steps will reproduce the problem?
1. Run this sample code with nodejs:
function* chunk(arr, step) {
for (let i = 0; i += step; i < arr.length)
yield arr.slice(i, i + step);
}
const arr = Array(6452);
const b = [...chunk(arr, 250)];
2. "invalid array length" issue
What is the expected output?
- if you log the value of b it should be undefined[][] (250 cells in each array except the last)
What do you see instead?
<--- Last few GCs --->
[10144:000002C2CD58F160] 37516 ms: Scavenge 3997.2 (4068.5) -> 3987.7 (4071.5) MB, 11.8 / 0.0 ms (average mu = 0.315, current mu = 0.178) allocation failure
[10144:000002C2CD58F160] 37535 ms: Scavenge 4000.2 (4071.5) -> 3990.6 (4074.5) MB, 12.0 / 0.0 ms (average mu = 0.315, current mu = 0.178) allocation failure
[10144:000002C2CD58F160] 37555 ms: Scavenge 4003.1 (4074.5) -> 3993.6 (4077.5) MB, 11.9 / 0.0 ms (average mu = 0.315, current mu = 0.178) allocation failure
<--- JS stacktrace --->
FATAL ERROR: invalid array length Allocation failed - JavaScript heap out of memory
1: 00007FF69D494BFF napi_wrap+159807
2: 00007FF69D428A36 v8::internal::MicrotaskQueue::GetMicrotasksScopeDepth+67174
3: 00007FF69D429936 node::OnFatalError+294
4: 00007FF69DD2CA3E v8::Isolate::ReportExternalAllocationLimitReached+94
5: 00007FF69DD1110D v8::SharedArrayBuffer::Externalize+781
6: 00007FF69DBAA14C v8::internal::Heap::EphemeronKeyWriteBarrierFromCode+1468
7: 00007FF69D8EE19C v8::internal::interpreter::JumpTableTargetOffsets::iterator::operator=+4348
8: 00007FF69DDB3D4D v8::internal::SetupIsolateDelegate::SetupHeap+456749
9: 00007FF69DD8AA02 v8::internal::SetupIsolateDelegate::SetupHeap+287970
10: 00007FF69DE42E41 v8::internal::SetupIsolateDelegate::SetupHeap+1042721
11: 00007FF69DD4C6B2 v8::internal::SetupIsolateDelegate::SetupHeap+33170
12: 00007FF69DD7AE9F v8::internal::SetupIsolateDelegate::SetupHeap+223615
13: 00007FF69DD4A36E v8::internal::SetupIsolateDelegate::SetupHeap+24142
14: 00007FF69DD49F5C v8::internal::SetupIsolateDelegate::SetupHeap+23100
15: 00007FF69DC13BBD v8::internal::Execution::CallWasm+1645
16: 00007FF69DC13D8B v8::internal::Execution::CallWasm+2107
17: 00007FF69DC14765 v8::internal::Execution::TryCall+213
18: 00007FF69D9CA065 v8::internal::SerializeStackTraceFrame+10437
19: 00007FF69D9CBE16 v8::internal::SourceTextModule::GetImportMeta+2470
20: 00007FF69D9C99A6 v8::internal::SerializeStackTraceFrame+8710
21: 00007FF69DA04D13 v8::internal::JSPromise::status+1955
22: 00007FF69DD10073 v8::Module::Evaluate+611
23: 00007FF69D45E308 node::Stop+7512
24: 00007FF69DCD8ACF v8::internal::Builtins::builtin_handle+316399
25: 00007FF69DCD8054 v8::internal::Builtins::builtin_handle+313716
26: 00007FF69DCD8355 v8::internal::Builtins::builtin_handle+314485
27: 00007FF69DCD8193 v8::internal::Builtins::builtin_handle+314035
28: 00007FF69DDB3E2D v8::internal::SetupIsolateDelegate::SetupHeap+456973
29: 00007FF69DD4C6B2 v8::internal::SetupIsolateDelegate::SetupHeap+33170
30: 00007FF69DD78B2F v8::internal::SetupIsolateDelegate::SetupHeap+214543
31: 00007FF69DE003DE v8::internal::SetupIsolateDelegate::SetupHeap+769726
32: 00007FF69DD6B94F v8::internal::SetupIsolateDelegate::SetupHeap+160815
33: 00007FF69DD4A25C v8::internal::SetupIsolateDelegate::SetupHeap+23868
34: 00007FF69DC13C7C v8::internal::Execution::CallWasm+1836
35: 00007FF69DC13D8B v8::internal::Execution::CallWasm+2107
36: 00007FF69DC1480A v8::internal::Execution::TryCall+378
37: 00007FF69DBEF5B5 v8::internal::MicrotaskQueue::RunMicrotasks+501
38: 00007FF69DBEF310 v8::internal::MicrotaskQueue::PerformCheckpoint+32
39: 00007FF69D4BBF04 node::CallbackScope::~CallbackScope+692
40: 00007FF69D4BBCBE node::CallbackScope::~CallbackScope+110
41: 00007FF69D411567 v8::base::CPU::has_sse+28375
42: 00007FF69D4F0267 uv_timer_stop+775
43: 00007FF69D4ECA6B uv_async_send+331
44: 00007FF69D4EC1FC uv_loop_init+1292
45: 00007FF69D4EC39A uv_run+202
46: 00007FF69D4BB6C4 node::SpinEventLoop+308
47: 00007FF69D3E34B7 EVP_CIPHER_CTX_buf_noconst+51927
48: 00007FF69D45BB9B node::Start+283
49: 00007FF69D28832C RC4_options+346668
50: 00007FF69E2C683C v8::internal::compiler::RepresentationChanger::Uint32OverflowOperatorFor+153276
51: 00007FFB8FD17034 BaseThreadInitThunk+20
52: 00007FFB90D5D241 RtlUserThreadStart+33
Please use labels and text to provide additional information.
- The array length came from a real use case
- somewhat similar? https://bugs.chromium.org/p/v8/issues/detail?id=10031
--
You received this message because:
1. The project was configured to send all issue notifications to this address
You may adjust your notification preferences at:
https://bugs.chromium.org/hosting/settings
v… via monorail
Mar 22, 2021, 5:17:08 AM3/22/21
to v8-re...@googlegroups.com
Updates:
Components: Runtime GC
Comment #1 on issue 11560 by va...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c1
(No comment was entered for this change.)
Components: Runtime GC
Comment #1 on issue 11560 by va...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c1
(No comment was entered for this change.)
ecmzi… via monorail
Apr 1, 2021, 11:05:34 AM4/1/21
to v8-re...@googlegroups.com
Updates:
Cc: dinf...@chromium.org
Labels: Priority-2
Comment #2 on issue 11560 by ecmzi...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c2
Also adding the owner of the mentioned bug to check if there is indeed a similarity.
Cc: dinf...@chromium.org
Labels: Priority-2
Comment #2 on issue 11560 by ecmzi...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c2
Also adding the owner of the mentioned bug to check if there is indeed a similarity.
dinfu… via monorail
Apr 1, 2021, 11:30:32 AM4/1/21
to v8-re...@googlegroups.com
Comment #3 on issue 11560 by dinf...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c3
It doesn't look related to the mentioned bug. It seems the condition in the for-loop in the example above is wrong.
khafr… via monorail
Apr 1, 2021, 7:18:30 PM4/1/21
to v8-re...@googlegroups.com
Comment #4 on issue 11560 by khafr...@gmail.com: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c4
The issue is the spread syntax on an infinite iterator, as mentioned above an issue with the condition (it was very late when I wrote that. :/)
dinfu… via monorail
Apr 3, 2021, 7:51:07 AM4/3/21
to v8-re...@googlegroups.com
Updates:
Status: WontFix
Comment #5 on issue 11560 by dinf...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c5
Thanks for taking a look! I will close the bug for now, feel free to re-open the issue if you still think there is an issue.
Status: WontFix
Comment #5 on issue 11560 by dinf...@chromium.org: Memory leak/crash with "invalid array length" when using generator function
https://bugs.chromium.org/p/v8/issues/detail?id=11560#c5
Thanks for taking a look! I will close the bug for now, feel free to re-open the issue if you still think there is an issue.
Reply all
Reply to author
Forward
0 new messages