dereference out of range vector iterator in v8::internal::compiler::JSHeapBroker::ProcessFeedbackMapsForElementAccess

[jmr]

Hi,

I'm embedding a statically linked v8 into my msvc dll, which is then loaded as a plugin in another application.

While running under debug mode I noticed the following assertion failure:

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.43.34808\include\vector(280) : Assertion failed: can't dereference out of range vector iterator

coming from:
...

   3 # `DllMain'::`5'::<lambda_1>::operator() at dllmain.cpp:598 (app+0x371a7cd)
   4 # `DllMain'::`5'::<lambda_1>::<lambda_invoker_cdecl> at dllmain.cpp:614 (app+0x371a668)
   5 # _VCrtDbgReportA at dbgrptt.cpp:391 (app+0x361df8f)
   6 # _CrtDbgReport at dbgrpt.cpp:263 (app+0x35ee779)
   7 # std::_Vector_iterator<std::_Vector_val<std::_Simple_types<std::pair<int,v8::internal::Tagged<v8::internal::HeapObject> > > > >::operator-> in app+0x92054c
   8 # v8::MemorySpan<v8::internal::Handle<v8::internal::Map> >::to_address<std::_Vector_iterator<std::_Vector_val<std::_Simple_types<v8::internal::Handle<v8::internal::Map> > > >,void> in app+0x10e5643
   9 # v8::MemorySpan<v8::internal::Handle<v8::internal::Map> >::MemorySpan<v8::internal::Handle<v8::internal::Map> ><std::_Vector_iterator<std::_Vector_val<std::_Simple_types<v8::internal::Handle<v8::internal::Map> > > >,1> in app+0x10e50c4
  10 # v8::internal::compiler::JSHeapBroker::ProcessFeedbackMapsForElementAccess in app+0x251e77a
  11 # v8::internal::compiler::JSHeapBroker::ReadFeedbackForPropertyAccess in app+0x2520011
  12 # v8::internal::compiler::JSHeapBroker::GetFeedbackForPropertyAccess in app+0x251af78
  13 # v8::internal::maglev::MaglevGraphBuilder::VisitStaInArrayLiteral in app+0x2862834
  14 # v8::internal::maglev::MaglevGraphBuilder::VisitSingleBytecode in app+0x2343e8f
  15 # v8::internal::maglev::MaglevGraphBuilder::BuildBody in app+0x230b567
  16 # v8::internal::maglev::MaglevGraphBuilder::Build in app+0x230b385
  17 # v8::internal::maglev::MaglevCompiler::Compile in app+0x230bd91
  18 # v8::internal::maglev::MaglevCompilationJob::ExecuteJobImpl in app+0xfe89b8
  19 # v8::internal::OptimizedCompilationJob::ExecuteJob in app+0xb0583b
  20 # v8::internal::maglev::MaglevConcurrentDispatcher::JobTask::Run in app+0xfe9c23
  21 # v8::platform::DefaultJobWorker::Run in app+0xd2a949
  22 # v8::platform::DefaultWorkerThreadsTaskRunner::WorkerThread::Run in app+0xd2b1c2
  23 # v8::base::Thread::NotifyStartedAndRun in app+0x681104
  24 # v8::base::OS::StrNCpy in app+0x681e4d
  25 # thread_start<unsigned int (__cdecl*)(void *),1> at thread.cpp:97 (app+0x3622e45)
  26 # BaseThreadInitThunk in KERNEL32+0x17374
  27 # RtlUserThreadStart in ntdll+0x4cc91

```

Sadly none of this looks like my code, hence I'm lost as to why this is happening.

The reason I'm running a debug build is trying to find a heap corruption that has been happening, potentially somewhere in my code, and I wonder if this could be related.

My application has an isolate per thread, I'm not using lockers (as in theory each isolate is single threaded), and any time data flows between threads it's done via ValueSerializer.

Sadly this is version 12.9.202, as that is the last version that supports MSVC.

Any advice as to what I'm doing wrong would be helpful, or how to approach debugging this.

Sadly the debugging situation is dire, the application that I'm loading my plugin in, cannot be debugged due to protections and I'm mostly constrained to printf, and various hooks that CRT provides.

Thanks,

Audrius.

[jmr]

Stack trace of another thread that might be the culprit below.

The way the code works is I have a few files, all of which have a native method to include, which can include other files into the global scope.

a.js:

include('b.js')

b.js:

include('c.js')

So you can see the nested v8::Script::Run calls, as we include a.js, we execute the script, which triggers a native call to include, which compiles another file b.js, and goes into Script::Run for that file, etc.

Stacktrace:

   0 # NtWaitForAlertByThreadId in ntdll+0xa0f24
   1 # RtlAcquireSRWLockExclusive in ntdll+0x29205
   2 # v8::base::SharedMutex::LockExclusive in app+0x67c96f
   3 # `v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2>::operator() in app+0xf89b29
   4 # v8::internal::LocalHeap::ParkAndExecuteCallback<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> > in app+0xf88858
   5 # `v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1>::operator() in app+0xf897d9
   6 # heap::base::Stack::SetMarkerAndCallbackImpl<`v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1> > in app+0xf88a2b
   7 # PushAllRegistersAndIterateStack in app+0x104eb4d
   8 # heap::base::Stack::TrampolineCallbackHelper in app+0x8dc837
   9 # heap::base::Stack::SetMarkerAndCallback<`v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1> > in app+0xf88964
  10 # v8::internal::LocalHeap::ExecuteWithStackMarker<`v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> >'::`2'::<lambda_1> > in app+0xf87e8e
  11 # v8::internal::LocalHeap::ExecuteWhileParked<`v8::internal::ParkedSharedMutexGuardIf<1,0>::ParkedSharedMutexGuardIf<1,0>'::`25'::<lambda_2> > in app+0xf87ce5
  12 # v8::internal::ParkedSharedMutexGuardIf<0,0>::ParkedSharedMutexGuardIf<0,0> in app+0xf8926d
  13 # v8::internal::ParkedSharedMutexGuardIf<0,0>::ParkedSharedMutexGuardIf<0,0> in app+0xf892ba
  14 # v8::internal::MapUpdater::ReconfigureToDataField in app+0xf93add
  15 # v8::internal::Map::Update in app+0x8f85c7
  16 # v8::internal::Map::TransitionToDataProperty in app+0x8f6020
  17 # v8::internal::LookupIterator::PrepareTransitionToDataProperty in app+0xabcf05
  18 # v8::internal::StoreIC::LookupForWrite in app+0x1e2c091
  19 # v8::internal::StoreIC::UpdateCaches in app+0x1e3889d
  20 # v8::internal::StoreIC::Store in app+0x1e34ca2
  21 # v8::internal::MaybeObjectHandle::Weak in app+0x1e44cce
  22 # v8::internal::Runtime_StoreIC_Miss in app+0x1e2edb4
  23 # Builtins_CEntry_Return1_ArgvOnStack_NoBuiltinExit in app+0x1684185
<many jit frames>
  45 # Builtins_InterpreterPushArgsThenFastConstructFunction in app+0x12a87b0
  46 # Builtins_InterpreterPushArgsThenFastConstructFunction in app+0x12a87b0
  47 # Builtins_ConstructHandler in app+0x1c8238d
  48 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
  49 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
  50 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
  51 # Builtins_JSEntryTrampoline in app+0x129e860
  52 # Builtins_JSEntry in app+0x129e3b7
  53 # v8::internal::GeneratedCode<unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,__int64,unsigned __int64 * __ptr64 * __ptr64>::Call in app+0x68dff5
  54 # v8::internal::Isolate::IncrementJavascriptExecutionCounter in app+0x68f8fc
  55 # v8::internal::Execution::CallScript in app+0x68e4de
  56 # v8::Script::Run in app+0x655458
  57 # v8::Script::Run in app+0x655056
  58 # Script::include at Script.cpp:566 (app+0x378392b)
  59 # include_file at JSCore.cpp:225 (app+0x373b03b)
  60 # func_caller at js32.cpp:136 (app+0x3734f8a)
  61 # Builtins_CallApiCallbackGeneric in app+0x12ab99b
<many jit frames>
 101 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
 102 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
 103 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
 104 # Builtins_JSEntryTrampoline in app+0x129e860
 105 # Builtins_JSEntry in app+0x129e3b7
 106 # v8::internal::GeneratedCode<unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,__int64,unsigned __int64 * __ptr64 * __ptr64>::Call in app+0x68dff5
 107 # v8::internal::Isolate::IncrementJavascriptExecutionCounter in app+0x68f8fc
 108 # v8::internal::Execution::CallScript in app+0x68e4de
 109 # v8::Script::Run in app+0x655458
 110 # v8::Script::Run in app+0x655056
 111 # Script::include at Script.cpp:566 (app+0x378392b)
 112 # include_file at JSCore.cpp:225 (app+0x373b03b)
 113 # func_caller at js32.cpp:136 (app+0x3734f8a)
 114 # Builtins_CallApiCallbackGeneric in app+0x12ab99b
<many jit frames>
 154 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
 155 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
 156 # Builtins_JSEntryTrampoline in app+0x129e860
 157 # Builtins_JSEntry in app+0x129e3b7
 158 # v8::internal::GeneratedCode<unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,__int64,unsigned __int64 * __ptr64 * __ptr64>::Call in app+0x68dff5
 159 # v8::internal::Isolate::IncrementJavascriptExecutionCounter in app+0x68f8fc
 160 # v8::internal::Execution::CallScript in app+0x68e4de
 161 # v8::Script::Run in app+0x655458
 162 # v8::Script::Run in app+0x655056
 163 # Script::include at Script.cpp:566 (app+0x378392b)
 164 # include_file at JSCore.cpp:225 (app+0x373b03b)
 165 # func_caller at js32.cpp:136 (app+0x3734f8a)
 166 # Builtins_CallApiCallbackGeneric in app+0x12ab99b
 167 # Builtins_InterpreterEntryTrampoline in app+0x12a7825
 168 # Builtins_JSEntryTrampoline in app+0x129e860
 169 # Builtins_JSEntry in app+0x129e3b7
 170 # v8::internal::GeneratedCode<unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,unsigned __int64,__int64,unsigned __int64 * __ptr64 * __ptr64>::Call in app+0x68dff5
 171 # v8::internal::Isolate::IncrementJavascriptExecutionCounter in app+0x68f8fc
 172 # v8::internal::Execution::CallScript in app+0x68e4de
 173 # v8::Script::Run in app+0x655458
 174 # v8::Script::Run in app+0x655056
 175 # Script::run at Script.cpp:409 (app+0x378081f)
 176 # script_thread at Script.cpp:747 (app+0x378460d)
 177 # BaseThreadInitThunk in KERNEL32+0x17374
 178 # RtlUserThreadStart in ntdll+0x4cc91