Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation Fault #8310

Closed
furkanmustafa opened this issue Aug 28, 2016 · 58 comments
Closed

Segmentation Fault #8310

furkanmustafa opened this issue Aug 28, 2016 · 58 comments
Labels
v8 engine Issues and PRs related to the V8 dependency.

Comments

@furkanmustafa
Copy link

  • Version: 6.5.0
  • Platform: Linux thehostname 4.7.2 #21 SMP Fri Aug 26 03:23:44 UTC 2016 x86_64 GNU/Linux

I'm not exacly sure what's the main reason for this crash is, therefore I don't have a way to replicate. My application is quite simple and doesn't have any native modules. General outline is, the app connects to Mongo & Redis, uses babel, and is a simple background worker for kue tasks. Application works well for a while, and then segfaults.

Here is the coredumps;

Process 32573 (node) of user 1000 dumped core.

  Stack trace of thread 32573:
  #0  0x00007f198dd32367 kill (libc.so.6)
  #1  0x00007f198fe84ea9 uv_kill (libuv.so.1)
  #2  0x0000000000d68ae0 _ZN4node4KillERKN2v820FunctionCallbackInfoINS0_5ValueEEE (node)
  #3  0x00000000006f7bd1 _ZN2v88internal25FunctionCallbackArguments4CallEPFvRKNS_20FunctionCallbackInfoINS_5ValueEEEE (node)
  #4  0x000000000074d9ab n/a (node)
  #5  0x000000000074e078 n/a (node)
  #6  0x000000000074e1de n/a (node)
  #7  0x00000c3b85b092a7 n/a (n/a)

Process 32555 (npm) of user 1000 dumped core.

  Stack trace of thread 32555:
  #0  0x00007f8074ef5367 kill (libc.so.6)
  #1  0x00007f8077047ea9 uv_kill (libuv.so.1)
  #2  0x0000000000d68ae0 _ZN4node4KillERKN2v820FunctionCallbackInfoINS0_5ValueEEE (node)
  #3  0x00000000006f7bd1 _ZN2v88internal25FunctionCallbackArguments4CallEPFvRKNS_20FunctionCallbackInfoINS_5ValueEEEE (node)
  #4  0x000000000074d9ab n/a (node)
  #5  0x000000000074e078 n/a (node)
  #6  0x000000000074e1de n/a (node)
  #7  0x00002e45f53092a7 n/a (n/a)

Process 32579 (node) of user 1000 dumped core.

  Stack trace of thread 32579:
  #0  0x0000000000989f95 _ZN2v88internal9FieldType7AsClassEv (node)
  #1  0x000000000098a0f4 _ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE (node)
  #2  0x0000000000787c8b _ZN2v88internal8compiler17AccessInfoFactory25ComputePropertyAccessInfoENS0_6HandleINS0_3MapEEENS3_INS0_4NameEEENS1_10
AccessModeEPNS1_18PropertyAccessInfoE (node)
  #3  0x000000000078831e _ZN2v88internal8compiler17AccessInfoFactory26ComputePropertyAccessInfosERKNS0_4ListINS0_6HandleINS0_3MapEEENS0_25Free
StoreAllocationPolicyEEENS4_INS0_4NameEEENS1_10AccessModeEPNS0_10ZoneVectorINS1_18PropertyAccessInfoEEE (node)
  #4  0x00000000007f9566 _ZN2v88internal8compiler29JSNativeContextSpecialization17ReduceNamedAccessEPNS1_4NodeES4_RKNS0_4ListINS0_6HandleINS0_
3MapEEENS0_25FreeStoreAllocationPolicyEEENS6_INS0_4NameEEENS1_10AccessModeENS0_12LanguageModeES4_ (node)
  #5  0x00000000007fb3af _ZN2v88internal8compiler29JSNativeContextSpecialization17ReduceNamedAccessEPNS1_4NodeES4_RKNS0_13FeedbackNexusENS0_6H
andleINS0_4NameEEENS1_10AccessModeENS0_12LanguageModeE (node)
  #6  0x00000000007fb43f _ZN2v88internal8compiler29JSNativeContextSpecialization17ReduceJSLoadNamedEPNS1_4NodeE (node)
  #7  0x00000000007fda15 _ZN2v88internal8compiler29JSNativeContextSpecialization6ReduceEPNS1_4NodeE (node)
  #8  0x00000000007ca506 _ZN2v88internal8compiler12GraphReducer6ReduceEPNS1_4NodeE (node)
  #9  0x00000000007caf5c _ZN2v88internal8compiler12GraphReducer9ReduceTopEv (node)
  #10 0x00000000007cb088 _ZN2v88internal8compiler12GraphReducer10ReduceNodeEPNS1_4NodeE (node)
  #11 0x00000000008325ed _ZN2v88internal8compiler8Pipeline12GenerateCodeEv (node)
  #12 0x00000000008895a2 _ZN2v88internal19OptimizedCompileJob11CreateGraphEv (node)
  #13 0x000000000088a945 n/a (node)
  #14 0x000000000088b6d9 _ZN2v88internal8Compiler16CompileOptimizedENS0_6HandleINS0_10JSFunctionEEENS1_15ConcurrencyModeE (node)
  #15 0x0000000000b63e05 _ZN2v88internal35Runtime_CompileOptimized_ConcurrentEiPPNS0_6ObjectEPNS0_7IsolateE (node)
  #16 0x0000073eda9092a7 n/a (n/a)
@addaleax addaleax added the v8 engine Issues and PRs related to the V8 dependency. label Aug 28, 2016
@addaleax
Copy link
Member

  • Does this happen with earlier versions of Node, too?
  • Where did you get the Node v6.5.0 binary from?
  • It looks like this is some script being run by npm… I assume the fault also occurs when running the script directly?

@addaleax
Copy link
Member

Also, could you try running this with a debug build of node?

@furkanmustafa
Copy link
Author

Does this happen with earlier versions of Node, too?

Tested with v5.10.1 and survived far more, looks like not going to crash.
Will test with v6.4.0 and debug build of v6.5.0

Where did you get the Node v6.5.0 binary from?

Arch Linux

It looks like this is some script being run by npm… I assume the fault also occurs when running the script directly?

Got rid of npm start, started with ./node_modules/.bin/babel-node src/Server.js directly. Still the same result without the npm's stack trace.

Also, could you try running this with a debug build of node?

Do I need to build it myself or is there an official debug build of node somewhere I can download or a docker image?

@addaleax
Copy link
Member

Do I need to build it myself or is there an official debug build of node somewhere I can download or a docker image?

I think you’d have to build it yourself, ./configure --debug && make -j4 should give you a node_g debug executable. And in this case, I’m even more sure that you’ll have to build yourself, given that Arch seems to be the only platform to provide v6.5.0 at this point (there aren’t even official Node v6.5.0 binaries out yet).

@jbergstroem
Copy link
Member

I just had a question on IRC wrt missing -headers for npm bundled with Node.js 6.5.0 in Archlinux too. Perhaps we should check in with them and see if we can align releases?

@MylesBorins
Copy link
Contributor

6.5.0 has not been promoted yet, which is why the headers are not available

On Sun, Aug 28, 2016, 4:03 PM Johan Bergström notifications@github.com
wrote:

I just had a question on IRC wrt missing -headers for npm bundled with
Node.js 6.5.0 in Archlinux too. Perhaps we should check in with them and
see if we can align releases?


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#8310 (comment), or mute
the thread
/~https://github.com/notifications/unsubscribe-auth/AAecV43SgiC04rTBF8vYRvC4lc3u0PLgks5qkbFegaJpZM4Ju7M-
.

@jbergstroem
Copy link
Member

@thealphanerd yeah, I know. I just emailed the maintainer in Archlinux about this and queried if he could align the releases with ours.

@furkanmustafa
Copy link
Author

Looks like v6.4.0 (docker image 6-slim) also does not crash.
I have compiled node v6.5.0 with --debug flag (inside the same docker image), and that also did not crash.

I believe that makes this an Arch Linux issue, probably one of the shared libraries.

I'll try playing with it a little bit more.

@addaleax
Copy link
Member

I believe that makes this an Arch Linux issue, probably one of the shared libraries.

Sounds quite possible… somebody else is experience very similar difficulties on Arch (almost identical stack trace) in npm/npm#13782

@moki
Copy link

moki commented Aug 28, 2016

Experienced problems after upgrading node to 6.5 on arch as well, rolling back to 6.4 solves the issue tho.

@addaleax
Copy link
Member

fwiw, I’ve set up Arch Linux in a VM, but couldn’t reproduce any problems so far… do you have something like reproducible test cases you could share (even if they are large) or something in that direction?

@moki
Copy link

moki commented Aug 28, 2016

@addaleax Apricity OS Arch distro update to node with packman from 6.4 to 6.5 leads to problem, rollback solves issue that's all i've got. Point me in some direction, how can i help work this out.

@mscdex
Copy link
Contributor

mscdex commented Aug 28, 2016

You could checkout the node source from git and do a git bisect between the v6.4.0 and v6.5.0 tags. I suspect it will be the upgrade to V8 5.1 though, it looks like it may be a bug there.

@mscdex
Copy link
Contributor

mscdex commented Aug 28, 2016

Or it could just be how Arch is building node... Either way building node manually from source will answer those questions.

@addaleax
Copy link
Member

Building node from the tag with a normal ./configure doesn’t reveal the same problem. Arch’s build script (if I am correct in that it is this one) doesn’t seem to be doing anything fancy, though.

@furkanmustafa
Copy link
Author

@mscdex @addaleax I have built v6.5.0 from git, inside docker image node:6-slim (debian). And problem did not occured. High likely making the problem about Arch Linux, in more detail high likely an ABI change or an incompatible change in one of the shared libraries after they've built node v6.5.0.

@addaleax
Copy link
Member

@furkanmustafa What was/is your compiler version?

@addaleax
Copy link
Member

Okay, so, I think I have an idea of what is going on here (big thanks to @leafi for providing access to an Arch VM for investigating!).
This seems to be an issue similar to #6272, i.e. undefined behaviour in the form of this == nullptr that’s optimized away by GCC 6; Namely, this FieldType::IsNone() check, which expands to this == reinterpret_cast<FieldType*>(Smi::FromInt(0)), which in turn – if I’m understanding everything correctly – expands to this == nullptr.
The segmentation fault definitely occurs during a call to FieldType::AsClass() with this == 0x0, and comparing between the v6.1.0 and v6.2.0 Arch binaries seems to support this (which is when they started building with GCC 6, according to a quick strings -a | grep GCC):

Node v6.1.0:

000000000091d530 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@Base>:
  91d530:       48 b8 00 00 00 00 01    movabs $0x100000000,%rax
  91d537:       00 00 00 
  91d53a:       48 39 c7                cmp    %rax,%rdi # IsAny()
  91d53d:       74 61                   je     91d5a0 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@Base+0x70>
  91d53f:       48 85 ff                test   %rdi,%rdi # IsNone()
  91d542:       b8 01 00 00 00          mov    $0x1,%eax
  91d547:       74 4d                   je     91d596 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@Base+0x66>
  91d549:       55                      push   %rbp
  91d54a:       48 89 e5                mov    %rsp,%rbp

  ...

Node v6.2.0 (v6.5.0 looks the same):

0000000000920780 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@Base>:
  920780:       48 b8 00 00 00 00 01    movabs $0x100000000,%rax
  920787:       00 00 00 
  92078a:       48 39 c7                cmp    %rax,%rdi # IsAny()
  92078d:       74 51                   je     9207e0 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@Base+0x60>
  92078f:       55                      push   %rbp
  920790:       48 89 e5                mov    %rsp,%rbp

  ...

This also explains why @NullDivision has been encountering npm/npm#13782 even prior to Node 6.5.0.
What I don’t know is why this problem is so strongly exacerbated with v6.5.0, but it makes sense that the V8 upgrade would have an impact.

I can’t compile anything for Arch with GCC 6 right now, but this completely naïve fix doesn’t break the Node.js tests for me, so it might be an option:

diff --git a/deps/v8/src/field-type.cc b/deps/v8/src/field-type.cc
index 76d694c13262..5d84f3f6450b 100644
--- a/deps/v8/src/field-type.cc
+++ b/deps/v8/src/field-type.cc
@@ -13,7 +13,7 @@ namespace internal {

 // static
 FieldType* FieldType::None() {
-  return reinterpret_cast<FieldType*>(Smi::FromInt(0));
+  return reinterpret_cast<FieldType*>(Smi::FromInt(2));
 }

 // static

/cc @nodejs/v8

@MylesBorins
Copy link
Contributor

amazing work!

/cc @nodejs/v8

On Mon, Aug 29, 2016, 7:40 AM Anna Henningsen notifications@github.com
wrote:

Okay, so, I think I have an idea of what is going on here (big thanks to
@leafi /~https://github.com/leafi for providing access to an Arch VM for
investigating!).
This seems to be an issue similar to #6272
#6272, i.e. undefined behaviour in
the form of this == nullptr that’s optimized away by GCC 6; Namely, this
FieldType::IsNone() check
/~https://github.com/nodejs/node/blob/v6.5.0/deps/v8/src/field-type.cc#L74,
which expands to this == reinterpret_cast<FieldType*>(Smi::FromInt(0)),
which in turn – if I’m understanding everything correctly – expands to this
== nullptr.
The segmentation fault definitely occurs during a call to
FieldType::AsClass() with this == 0x0, and comparing between the v6.1.0
and v6.2.0 Arch binaries seems to support this (which is when they started
building with GCC 6, according to a quick strings -a | grep GCC):

Node v6.1.0:

000000000091d530 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@base>: 91d530: 48 b8 00 00 00 00 01 movabs $0x100000000,%rax 91d537: 00 00 00 91d53a: 48 39 c7 cmp %rax,%rdi # IsAny() 91d53d: 74 61 je 91d5a0 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@base+0x70> 91d53f: 48 85 ff test %rdi,%rdi # IsNone() 91d542: b8 01 00 00 00 mov $0x1,%eax 91d547: 74 4d je 91d596 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@base+0x66> 91d549: 55 push %rbp 91d54a: 48 89 e5 mov %rsp,%rbp
...

Node v6.2.0 (v6.5.0 looks the same):

0000000000920780 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@base>: 920780: 48 b8 00 00 00 00 01 movabs $0x100000000,%rax 920787: 00 00 00 92078a: 48 39 c7 cmp %rax,%rdi # IsAny() 92078d: 74 51 je 9207e0 <_ZN2v88internal9FieldType7ConvertEPNS0_4ZoneE@@base+0x60> 92078f: 55 push %rbp 920790: 48 89 e5 mov %rsp,%rbp
...

This also explains why @NullDivision /~https://github.com/NullDivision
has been encountering npm/npm#13782
npm/npm#13782 even prior to Node 6.5.0.
What I don’t know is why this problem is so strongly exacerbated with
v6.5.0, but it makes sense that the V8 upgrade would have an impact.

I can’t compile anything for Arch with GCC 6 right now, but this
completely naïve fix doesn’t break the Node.js tests for me, so it might be
an option:

diff --git a/deps/v8/src/field-type.cc b/deps/v8/src/field-type.cc
index 76d694c13262..5d84f3f6450b 100644--- a/deps/v8/src/field-type.cc+++ b/deps/v8/src/field-type.cc@@ -13,7 +13,7 @@ namespace internal {

// static
FieldType* FieldType::None() {- return reinterpret_cast<FieldType*>(Smi::FromInt(0));+ return reinterpret_cast<FieldType*>(Smi::FromInt(2));
}

// static

/cc @nodejs/v8 /~https://github.com/orgs/nodejs/teams/v8


You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
#8310 (comment), or mute
the thread
/~https://github.com/notifications/unsubscribe-auth/AAecV3yoYiM_kZvdlPR-5ydGU2qXGNAoks5qko0LgaJpZM4Ju7M-
.

@NullDivision
Copy link

That is some Rainman level work. I tip my hat to you sir.

@addaleax
Copy link
Member

I tip my hat to you sir.

Not exactly a sir. :)

@NullDivision
Copy link

Oops. :)) Well, imagine my embarrassment. Sorry. Handles are hard to follow. 😆

@addaleax
Copy link
Member

Also maybe /cc @felixonmars fyi

@quarthex
Copy link

Encountered the same issue. (node v6.5.0 on ArchLinux)
Was trying to run npm install --dry-run.

1  v8::internal::FieldType::AsClass()
2  v8::internal::FieldType::Convert(v8::internal::Zone *)
3  v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfo(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode, v8::internal::compiler::PropertyAccessInfo *)
4  v8::internal::compiler::AccessInfoFactory::ComputePropertyAccessInfos(v8::internal::List<v8::internal::Handle<v8::internal::Map>, v8::internal::FreeStoreAllocationPolicy> const&, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode, v8::internal::ZoneVector<v8::internal::compiler::PropertyAccessInfo> *)
5  v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccess(v8::internal::compiler::Node *, v8::internal::compiler::Node *, v8::internal::List<v8::internal::Handle<v8::internal::Map>, v8::internal::FreeStoreAllocationPolicy> const&, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode, v8::internal::LanguageMode, v8::internal::compiler::Node *)
6  v8::internal::compiler::JSNativeContextSpecialization::ReduceNamedAccess(v8::internal::compiler::Node *, v8::internal::compiler::Node *, v8::internal::FeedbackNexus const&, v8::internal::Handle<v8::internal::Name>, v8::internal::compiler::AccessMode, v8::internal::LanguageMode)
7  v8::internal::compiler::JSNativeContextSpecialization::ReduceJSLoadNamed(v8::internal::compiler::Node *)
8  v8::internal::compiler::JSNativeContextSpecialization::Reduce(v8::internal::compiler::Node *)
9  v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node *)
10 v8::internal::compiler::GraphReducer::ReduceTop()
11 v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node *)
12 v8::internal::compiler::Pipeline::GenerateCode()
13 v8::internal::OptimizedCompileJob::CreateGraph()
14 ??
15 v8::internal::Compiler::CompileOptimized(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::Compiler::ConcurrencyMode)
16 v8::internal::Runtime_CompileOptimized_Concurrent(int, v8::internal::Object * *, v8::internal::Isolate *)
17 ??
…

@ofrobots
Copy link
Contributor

@addaleax I am not sure if it is safe to change the value from None 0 to 2. I don't have access to a gcc-6.2 machine. Could you try something like this on the arch linux VM to see if the compiler is still agreeable:

diff --git a/deps/v8/src/field-type.cc b/deps/v8/src/field-type.cc
index f1cb962..663f87f 100644
--- a/deps/v8/src/field-type.cc
+++ b/deps/v8/src/field-type.cc
@@ -11,14 +11,25 @@
 namespace v8 {
 namespace internal {

+static const int kNone = 0;
+static const int kAny = 1;
+
 // static
 FieldType* FieldType::None() {
-  return reinterpret_cast<FieldType*>(Smi::FromInt(0));
+  return reinterpret_cast<FieldType*>(Smi::FromInt(kNone));
+}
+
+bool FieldType::IsNone() {
+  return reinterpret_cast<intptr_t>(this) == kNone;
 }

 // static
 FieldType* FieldType::Any() {
-  return reinterpret_cast<FieldType*>(Smi::FromInt(1));
+  return reinterpret_cast<FieldType*>(Smi::FromInt(kAny));
+}
+
+bool FieldType::IsAny() {
+  return reinterpret_cast<intptr_t>(this) == kAny;
 }

 // static
diff --git a/deps/v8/src/field-type.h b/deps/v8/src/field-type.h
index eb7ffca..4eebf82 100644
--- a/deps/v8/src/field-type.h
+++ b/deps/v8/src/field-type.h
@@ -33,8 +33,8 @@ class FieldType : public Object {

   bool IsClass();
   Handle<i::Map> AsClass();
-  bool IsNone() { return this == None(); }
-  bool IsAny() { return this == Any(); }
+  bool IsNone();
+  bool IsAny();
   bool NowStable();
   bool NowIs(FieldType* other);
   bool NowIs(Handle<FieldType> other);

@ofrobots
Copy link
Contributor

/cc @jeisinger on whether it is safe to change the None FieldType value.

@bnoordhuis
Copy link
Member

+ return reinterpret_cast<intptr_t>(this) == kNone;

I don't think that makes it any less UB. A conforming compiler can still optimize it to return false on the assumption that the result of reinterpret_cast<intptr_t>(this) is never zero.

@addaleax
Copy link
Member

@ofrobots Thanks, will do! If you see anything obviously wrong with the patch, please say so :)

I'd file a nodejs/build issue for that.

Done, nodejs/build#480

@bmeurer
Copy link
Member

bmeurer commented Aug 30, 2016

It is pretty bad that V8 relies on a variety of undefined/implementation defined behaviors in C++ compilers, and this seems to be only the tip of the iceberg. But as sad as it is, there's not much we can do about this short-term, except trying to work-around issues as in this case. Maybe we (as in V8 + Node.js) can raise awareness of this problem to the GCC (and clang) folks, and somehow buy us some time to first address all the undefined behavior (or at least the serious stuff) before the compilers start to exploit UB for optimizations (although in my opinion this is already a pretty, pretty bad idea anyways, esp. in a language like C++).

kisg pushed a commit to paul99/v8mips that referenced this issue Aug 30, 2016
When FieldType::None() returns a cast Smi::FromInt(0), which translates
as nullptr, the FieldType::IsNone() check becomes equivalent to
`this == nullptr` which is not allowed by the standard and
therefore optimized away as a false constant by GCC 6.

This has lead to crashes when invoking methods on FieldType::None().

Using a different Smi constant for FieldType::None() makes the compiler
always include a comparison against that value. The choice of these
constants has no effect as they are effectively arbitrary.

BUG=nodejs/node#8310

Review-Url: https://codereview.chromium.org/2292953002
Cr-Commit-Position: refs/heads/master@{#39023}
@bnoordhuis
Copy link
Member

@bmeurer Perhaps you can add -fno-delete-null-pointer-checks to the build flags as a short-term workaround? We can add that to our build too but we are probably not the only embedders that will hit this.

@bmeurer
Copy link
Member

bmeurer commented Aug 31, 2016

@bnoordhuis I guess that would be doable. Does that only affect GCC 6 behavior? Is there anything to be aware of?

@bnoordhuis
Copy link
Member

@bmeurer -fdelete-null-pointer-checks was disabled by default until g++ 6, the flag itself has existed for quite some time (since 4.0 or 4.1?)

I turned on the flag in v0.10 and v0.12 and I couldn't find a measurable difference but that's with V8 3.14 and 3.28 (and many more moving parts, of course.)

@bmeurer
Copy link
Member

bmeurer commented Sep 1, 2016

@bnoordhuis Do you need this on the V8 side? If so, can you file a ticket and assign to to machenbach@chromium.org?

@bnoordhuis
Copy link
Member

@bmeurer I don't need it for node.js, we can control that through our own build flags. I was thinking that disabling it in V8 might save smaller embedders like plv8 some head scratching.

@bmeurer
Copy link
Member

bmeurer commented Sep 1, 2016

Ok, I leave that decision to @jeisinger.

@ofrobots
Copy link
Contributor

ofrobots commented Sep 2, 2016

To make the decision tangible: https://codereview.chromium.org/2310513002.

addaleax added a commit to addaleax/node that referenced this issue Sep 5, 2016
Original commit message:

    Make FieldType::None() non-nullptr value to avoid undefined behaviour

    When FieldType::None() returns a cast Smi::FromInt(0), which translates
    as nullptr, the FieldType::IsNone() check becomes equivalent to
    `this == nullptr` which is not allowed by the standard and
    therefore optimized away as a false constant by GCC 6.

    This has lead to crashes when invoking methods on FieldType::None().

    Using a different Smi constant for FieldType::None() makes the compiler
    always include a comparison against that value. The choice of these
    constants has no effect as they are effectively arbitrary.

    BUG=nodejs#8310

    Review-Url: https://codereview.chromium.org/2292953002
    Cr-Commit-Position: refs/heads/master@{nodejs#39023}

Fixes: nodejs#8310
addaleax added a commit that referenced this issue Sep 8, 2016
Original commit message:

    Make FieldType::None() non-nullptr value to avoid undefined behaviour

    When FieldType::None() returns a cast Smi::FromInt(0), which translates
    as nullptr, the FieldType::IsNone() check becomes equivalent to
    `this == nullptr` which is not allowed by the standard and
    therefore optimized away as a false constant by GCC 6.

    This has lead to crashes when invoking methods on FieldType::None().

    Using a different Smi constant for FieldType::None() makes the compiler
    always include a comparison against that value. The choice of these
    constants has no effect as they are effectively arbitrary.

    BUG=#8310

    Review-Url: https://codereview.chromium.org/2292953002
    Cr-Commit-Position: refs/heads/master@{#39023}

Fixes: #8310
PR-URL: #8411
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
@seishun
Copy link
Contributor

seishun commented Sep 13, 2016

somehow buy us some time to first address all the undefined behavior (or at least the serious stuff)

I think the most serious stuff is casting generated code into a function pointer and calling it, which is pretty much unavoidable.

@DemiMarie
Copy link

Clang doesn't support -fno-delete-null-pointer-checks. So either a bug needs to be filed with LLVM, V8 needs to fix their code, or we need to confirm with LLVM developers that LLVM does not optimize under the assumption that this != nullptr.

@bnoordhuis
Copy link
Member

CodeGenFunction::ShouldNullCheckClassCastValue() in clang 3.8 suggests that clang always assumes this != nullptr.

Clang does know about -fno-delete-null-pointer-checks but it's a no-op.

@DemiMarie
Copy link

Does anyone have enough knowledge of Clang and/or LLVM to implement
-fno-delete-null-pointer-checks in Clang? If not this should be a feature
request against Clang.

On Sep 16, 2016 4:20 AM, "Ben Noordhuis" notifications@github.com wrote:

CodeGenFunction::ShouldNullCheckClassCastValue() in clang 3.8 suggests that
clang always assumes this != nullptr.

Clang does know about -fno-delete-null-pointer-checks but it's a no-op.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#8310 (comment), or mute
the thread
/~https://github.com/notifications/unsubscribe-auth/AGGWB1BxhGGffTIg_sd_CalyXzuZmJ-cks5qqlFNgaJpZM4Ju7M-
.

@bnoordhuis
Copy link
Member

It should be easy enough to add but I don't have time at the moment. You are welcome to run with it.

@bnoordhuis
Copy link
Member

Patch against clang 3.9.0. Still need to update the test suite but I thought I'd post it here in case I forget; someone is sure to remind me in due time. :-)

@crocket
Copy link

crocket commented Oct 29, 2016

I'm on ArchLinux. I use node v6.9.1, and I experience ghcjs/ghcjs#542

@addaleax
Copy link
Member

@crocket Then it’s a different bug, this one was fixed in v6.6.0. If you think it’s reasonable to believe you are experiencing a bug with Node core, I’d suggest that you try to write down a full reproduction of that problem and open a new issue here. A stack trace or a full core dump for the segfault would also be very useful information, if that’s possible.

@crocket
Copy link

crocket commented Oct 29, 2016

How do I provide a stack trace of a full core dump? Can you give me links?

@addaleax
Copy link
Member

@crocket Maybe run this before executing your program. This varies quite a bit from Linux distro to Linux distro…

You can generate a stack trace using a debugger like gdb or lldb, if you want to try that.

@crocket
Copy link

crocket commented Oct 29, 2016

https://gist.github.com/crocket/0e68d3d6f27c280daa3b7449337a8f94 is the output of coredumpctl info /home/crocket/.stack/programs/x86_64-linux/ghcjs-0.2.0.9006021_ghc-7.10.3/src/.stack-work/install/x86_64-linux/lts-6.21/7.10.3/bin/ghcjs-0.2.0.9006021-7.10.3.bin I'm not sure if this helps.

@addaleax
Copy link
Member

@crocket I’m not sure why this might look like a bug in Node – fwiw, the file listed under Coredump: is the core dump file itself. You’re probably best off discussing this problem at the ghcjs repo.

@addaleax
Copy link
Member

This was fixed in f829660, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v8 engine Issues and PRs related to the V8 dependency.
Projects
None yet
Development

No branches or pull requests