It'd be interesting to find out what more. We should not attempt to jump into runtime-allocated executable code in jitless mode. If you have a repro, please open a bug and I will take a look.
On Thu, Sep 12, 2019 at 5:45 PM Darin Dimitrov <darin.dimit...@gmail.com> wrote: > Found the root cause. > > I was setting a named interceptor on an instance template with both the > propertyGetter and propertySetter being null: > > NamedPropertyHandlerConfiguration config(propertyGetter, propertySetter); > > instanceTemplate->SetHandler(config); > > > I am not sure how how this affects V8 and what is the relation to > 738d870db64a97db243e0d5856f92cc45e1c69fd > <https://chromium.googlesource.com/v8/v8.git/+/738d870db64a97db243e0d5856f92cc45e1c69fd> > but > once I added null checks, everything works perfectly. > > > On Thursday, September 12, 2019 at 6:29:57 PM UTC+3, Darin Dimitrov wrote: > >> I have pretty much narrowed it down and will send a repro once I remove >> all the noise from my project >> >> On Thursday, September 12, 2019 at 5:45:19 PM UTC+3, Jakob Kummerow wrote: >>> >>> CC author of that commit. >>> >>> Darin, do you have a full repro you can share? That would be useful for >>> debugging. >>> >>> >>> On Thu, Sep 12, 2019 at 4:36 PM Darin Dimitrov <darin....@gmail.com> >>> wrote: >>> >>>> I am embedding v8 in my iOS application and calling some js function: >>>> >>>> Local<v8::Function> callback = ... >>>> >>>> std::vector<Local<Value>> v8Args = ... >>>> >>>> Local<Value> result; >>>> >>>> TryCatch tc(isolate); >>>> >>>> callback->Call(context, thiz, (*int*)v8Args.size(), v8Args.data()). >>>> ToLocal(&result)); >>>> >>>> >>>> This code works pretty fine but starting from this commit >>>> https://chromium.googlesource.com/v8/v8.git/+/738d870db64a97db243e0d5856f92cc45e1c69fd >>>> my code started failing consistently with the following error: >>>> >>>> >>>> * thread #1, queue = 'com.apple.main-thread', stop reason = >>>> EXC_BAD_ACCESS (code=EXC_I386_GPFLT) >>>> >>>> * frame #0: 0x00000001031f1fe0 >>>> MyProj`v8::internal::PropertyCallbackArguments::CallNamedSetter(this=0x00007ffeedc03aa0, >>>> interceptor=<unavailable>, name=<unavailable>, >>>> value=Handle<v8::internal::Object> @ 0x00007ffeedc039e8) at >>>> api-arguments-inl.h:231:3 [opt] >>>> >>>> frame #1: 0x000000010315e11d >>>> MyProj`v8::internal::__RT_impl_Runtime_StorePropertyWithInterceptor(args=Arguments >>>> @ 0x00007ffeedc03af0, isolate=0x000000011faf8000) at ic.cc:2760:37 [opt] >>>> >>>> frame #2: 0x0000000103cd6f00 >>>> MyProj`Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit + >>>> 64 >>>> >>>> frame #3: 0x0000000103ef0ccf >>>> MyProj`Builtins_StaNamedPropertyHandler + 1679 >>>> >>>> frame #4: 0x0000000103a0be52 >>>> MyProj`Builtins_InterpreterEntryTrampoline + 946 >>>> >>>> frame #5: 0x00000001039fe57a MyProj`Builtins_JSEntryTrampoline + 90 >>>> >>>> frame #6: 0x00000001039fe57a MyProj`Builtins_JSEntryTrampoline + 90 >>>> >>>> frame #7: 0x00000001039fe358 MyProj`Builtins_JSEntry + 120 >>>> >>>> frame #8: 0x0000000103064512 MyProj`v8::internal::(anonymous >>>> namespace)::Invoke(v8::internal::Isolate*, v8::internal::(anonymous >>>> namespace)::InvokeParams const&) [inlined] >>>> v8::internal::GeneratedCode<unsigned long, unsigned long, unsigned long, >>>> unsigned long, unsigned long, long, unsigned >>>> long**>::Call(this=<unavailable>, args=<unavailable>, args=<unavailable>, >>>> args=<unavailable>, args=<unavailable>, args=<unavailable>, >>>> args=<unavailable>) at simulator.h:138:12 [opt] >>>> >>>> frame #9: 0x0000000103064509 MyProj`v8::internal::(anonymous >>>> namespace)::Invoke(isolate=0x000000011faf8000, >>>> params=<unavailable>)::InvokeParams const&) at execution.cc:266 [opt] >>>> >>>> frame #10: 0x0000000103063e27 >>>> MyProj`v8::internal::Execution::Call(isolate=0x000000011faf8000, >>>> callable=<unavailable>, receiver=<unavailable>, argc=1, >>>> argv=0x0000600001a8cee0) at execution.cc:358:10 [opt] >>>> >>>> frame #11: 0x0000000102d3a80d >>>> MyProj`v8::Function::Call(this=0x00007fdeee81b840, context=<unavailable>, >>>> recv=<unavailable>, argc=1, argv=0x0000600001a8cee0) at api.cc:4840:7 [opt] >>>> >>>> >>>> >>>> And this is the crashing code: >>>> https://chromium.googlesource.com/v8/v8.git/+/738d870db64a97db243e0d5856f92cc45e1c69fd/src/api/api-arguments-inl.h#231 >>>> >>>> >>>> The crash is observed after multiple calls to this method and after >>>> some GC iterations. >>>> >>>> -- >>>> >>> -- > -- > v8-users mailing list > v8-users@googlegroups.com > http://groups.google.com/group/v8-users > --- > You received this message because you are subscribed to the Google Groups > "v8-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to v8-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/v8-users/b8576c7a-8eb8-4ac3-8810-6180728303c5%40googlegroups.com > <https://groups.google.com/d/msgid/v8-users/b8576c7a-8eb8-4ac3-8810-6180728303c5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- -- v8-users mailing list v8-users@googlegroups.com http://groups.google.com/group/v8-users --- You received this message because you are subscribed to the Google Groups "v8-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-users/CAH3p7oN%2BMFA5ZtW0deTHLu9TrWyEcA8ziD0xhCbXtVGfJ-A22g%40mail.gmail.com.
