Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V8_Fatal exception when running "jest" tests #13804

Closed
jgoz opened this issue Jun 19, 2017 · 10 comments
Closed

V8_Fatal exception when running "jest" tests #13804

jgoz opened this issue Jun 19, 2017 · 10 comments
Labels
v8 engine Issues and PRs related to the V8 dependency. vm Issues and PRs related to the vm subsystem.

Comments

@jgoz
Copy link

jgoz commented Jun 19, 2017

  • Version: v9.0.0-pre (d3c668c)
  • Platform: macos 10.12 (16.6.0 Darwin Kernel Version 16.6.0: Fri Apr 14 16:21:16 PDT 2017; root:xnu-3789.60.24~6/RELEASE_X86_64 x86_64 i386 MacBookPro13,3 Darwin)
  • Subsystem: v8, possibly vm

Repository for reproducing the error: /~https://github.com/jgoz/node-jest-failure

Command executed:

$ path/to/out/Debug/node ./node_modules/.bin/jest

When executing jest tests with node at d3c668c, a V8_Fatal exception is thrown before the tests can even begin. The following stack trace is produced:

#
# Fatal error in ../deps/v8/src/objects-inl.h, line 1955
# Check failed: has_named_interceptor().
#

==== C stack trace ===============================

    0   node                                0x0000000101c01c2e v8::base::debug::StackTrace::StackTrace() + 30
    1   node                                0x0000000101c01c65 v8::base::debug::StackTrace::StackTrace() + 21
    2   node                                0x0000000101a51627 v8::platform::(anonymous namespace)::PrintStackTrace() + 23
    3   node                                0x0000000101bfbdfd V8_Fatal + 445
    4   node                                0x00000001011c0a31 v8::internal::Map::GetNamedInterceptor() + 81
    5   node                                0x00000001011abfad v8::internal::JSObject::GetNamedInterceptor() + 29
    6   node                                0x00000001011be0dc v8::internal::__RT_impl_Runtime_LoadPropertyWithInterceptor(v8::internal::Arguments, v8::internal::Isolate*) + 716
    7   node                                0x00000001011bdcb0 v8::internal::Runtime_LoadPropertyWithInterceptor(int, v8::internal::Object**, v8::internal::Isolate*) + 272
    8   ???                                 0x00002c5ab4184264 0x0 + 48768080167524
Received signal 4 <unknown> 000101c05971
[1]    31361 illegal hardware instruction  ../node/out/Debug/node ./node_modules/.bin/jest

Note that this error does not occur in 8.1.2, so the behaviour was a fairly recent change. Possibly a V8 update? It looks like V8 was upgraded from 5.8 to 5.9 between 8.1.2 and master.

Jest uses vm heavily internally, which is why I guessed that the issue was in that subsystem, but I'm not sure.

@mscdex mscdex added the v8 engine Issues and PRs related to the V8 dependency. label Jun 19, 2017
@mscdex
Copy link
Contributor

mscdex commented Jun 19, 2017

/cc @nodejs/v8

@bmeurer
Copy link
Member

bmeurer commented Jun 20, 2017

/cc @fhinkel

@targos
Copy link
Member

targos commented Jun 27, 2017

I have a similar issue with canary. Reported it here: https://bugs.chromium.org/p/v8/issues/detail?id=6490

@fhinkel fhinkel added the vm Issues and PRs related to the vm subsystem. label Jun 27, 2017
@fhinkel
Copy link
Member

fhinkel commented Jun 27, 2017

Load property with interceptor sounds like it's coming from the vm module. I can look into it, but probably won't get to it until later next week.

@targos
Copy link
Member

targos commented Jun 30, 2017

With V8 6.0 I have the same issue as canary:

$ node-v8-60/out/Debug/node run.js 

 RUNS  ./test.js


#
# Fatal error in ../deps/v8/src/ic/ic.cc, line 879
# Check failed: NameDictionary::kNotFound != number (-1 vs. -1).
#

==== C stack trace ===============================

    node-v8-60/out/Debug/node(v8::base::debug::StackTrace::StackTrace()+0x1d) [0x2a5c347]
    node-v8-60/out/Debug/node() [0x28f88d1]
    node-v8-60/out/Debug/node(V8_Fatal+0xff) [0x2a58f00]
    node-v8-60/out/Debug/node() [0x22b2bf8]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::LoadFromPrototype(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Smi>)+0x280) [0x22b2ef4]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::GetMapIndependentHandler(v8::internal::LookupIterator*)+0x690) [0x22b457a]
    node-v8-60/out/Debug/node(v8::internal::IC::ComputeHandler(v8::internal::LookupIterator*)+0x31) [0x22b3c17]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::UpdateCaches(v8::internal::LookupIterator*)+0x43b) [0x22b396d]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>)+0x2c9) [0x22b1b97]
    node-v8-60/out/Debug/node(v8::internal::KeyedLoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>)+0x1c4) [0x22b69a2]
    node-v8-60/out/Debug/node() [0x22bcff0]
    node-v8-60/out/Debug/node(v8::internal::Runtime_KeyedLoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*)+0x109) [0x22bce38]
    [0x3d25b804564]
Received signal 4 ILL_ILLOPN 000002a5ea4f
[1]    23456 illegal hardware instruction (core dumped)  node-v8-60/out/Debug/node run.js

Maybe we should focus on this one first, if we want to update to 6.0 soon.

@targos targos mentioned this issue Jun 30, 2017
8 tasks
@addaleax
Copy link
Member

This is also an issue with V8 5.9; I’ll try to spend a bit of time looking into it today.

@addaleax
Copy link
Member

git bisect says:

v8/v8@336d6e4 is the first bad commit

/cc @verwaest

@bmeurer
Copy link
Member

bmeurer commented Jun 30, 2017

@verwaest is OOO starting next week. /cc @isheludko

@targos
Copy link
Member

targos commented Jul 3, 2017

Here is a simplified test case:

require('vm').runInNewContext(`

const wrapperSymbol = 'test'; //Symbol("wrapper");
function wrapperForImpl(impl) {
  return impl ? impl[wrapperSymbol] : null;
};

function test(o) {
  for (var i = 0; i < 1e6; i++) {
    wrapperForImpl(o);
  }
}

test(this);

`);

@isheludko
Copy link
Contributor

Here's the fix: https://chromium.googlesource.com/v8/v8.git/+/6cb999b97b7953ebfd4aabf2e1f62bf405f21c69

addaleax pushed a commit to addaleax/node that referenced this issue Jul 14, 2017
Original commit message:

    Properly handle loads from global interceptor via prototype chain.

    ... when receiver is in dictionary mode.

    Bug: v8:6490
    Change-Id: Ic5a8d214adcc4efd4cb163cbc6b351c4e6b596af
    Reviewed-on: https://chromium-review.googlesource.com/559548
    Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{nodejs#46428}

Ref: https://chromium.googlesource.com/v8/v8.git/+/6cb999b97b7953ebfd4aabf2e1f62bf405f21c69
Fixes: nodejs#13804
PR-URL: nodejs#14188
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
addaleax pushed a commit that referenced this issue Jul 24, 2017
Original commit message:

    Properly handle loads from global interceptor via prototype chain.

    ... when receiver is in dictionary mode.

    Bug: v8:6490
    Change-Id: Ic5a8d214adcc4efd4cb163cbc6b351c4e6b596af
    Reviewed-on: https://chromium-review.googlesource.com/559548
    Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#46428}

Ref: https://chromium.googlesource.com/v8/v8.git/+/6cb999b97b7953ebfd4aabf2e1f62bf405f21c69
Fixes: #13804
PR-URL: #14188
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
addaleax pushed a commit to targos/node that referenced this issue Jul 24, 2017
Original commit message:

    Properly handle loads from global interceptor via prototype chain.

    ... when receiver is in dictionary mode.

    Bug: v8:6490
    Change-Id: Ic5a8d214adcc4efd4cb163cbc6b351c4e6b596af
    Reviewed-on: https://chromium-review.googlesource.com/559548
    Reviewed-by: Camillo Bruni <cbruni@chromium.org>
    Commit-Queue: Igor Sheludko <ishell@chromium.org>
    Cr-Commit-Position: refs/heads/master@{nodejs#46428}

Ref: https://chromium.googlesource.com/v8/v8.git/+/6cb999b97b7953ebfd4aabf2e1f62bf405f21c69
Fixes: nodejs#13804
PR-URL: nodejs#14188
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v8 engine Issues and PRs related to the V8 dependency. vm Issues and PRs related to the vm subsystem.
Projects
None yet
Development

No branches or pull requests

7 participants