Opened 3 years ago

Last modified 3 years ago

#3188 new defect

ABP-IE engine crashes when it asks v8 to exceed one of its internal limits

Reported by: eric@… Assignee:
Priority: Unknown Milestone:
Module: Adblock-Plus-for-Internet-Explorer Keywords: crash
Cc: Blocked By:
Blocking: Platform: Internet Explorer
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description

Environment

Development version 1.4, 32-bit version. Nothing relevant in the code has changed with 1.5.

Running under Windows 7 64-bit, IE version 11.

How to reproduce

There's no deterministic way to reproduce this defect, nor even an easy way to know that any particular crash has the same cause as the present report. That said, opening lots of tabs in a short period of time frequently causes an engine crash. Slow web sites seem to aggravate the problem.

Observed behavior

The engine crashes. An APPCRASH dialog appears. The exception code for the halt is 80000003, which is the code for a software-triggered breakpoint.

Expected behavior

No crashing.

Summary of the problem

There's a hard limit inside v8 for the number of isolates. In a debug compile this limit is checked in an assertion that is the proximate cause for the APPCRASH.

Change History (2)

comment:1 Changed 3 years ago by eric@…

This is the call stack at the time of the crash.

 	[External Code]	
	AdblockPlusEngine.exe!v8::internal::OS::DebugBreak() Line 1013	C++
 	AdblockPlusEngine.exe!v8::internal::OS::Abort() Line 1004	C++
 	AdblockPlusEngine.exe!V8_Fatal(const char * file, int line, const char * format, ...) Line 62	C++
 	AdblockPlusEngine.exe!v8::internal::GlobalHandles::NodeBlock::IncreaseUses() Line 342	C++
 	AdblockPlusEngine.exe!v8::internal::GlobalHandles::Node::IncreaseBlockUses() Line 400	C++
 	AdblockPlusEngine.exe!v8::internal::GlobalHandles::Node::Acquire(v8::internal::Object * object) Line 116	C++
 	AdblockPlusEngine.exe!v8::internal::GlobalHandles::Create(v8::internal::Object * value) Line 477	C++
 	AdblockPlusEngine.exe!v8::V8::GlobalizeReference(v8::internal::Isolate * isolate, v8::internal::Object * * obj) Line 654	C++
 	AdblockPlusEngine.exe!v8::Persistent<v8::Value>::New(v8::Isolate * isolate, v8::Value * that) Line 5706	C++
 	AdblockPlusEngine.exe!v8::Persistent<v8::Value>::Persistent<v8::Value><v8::Value>(v8::Isolate * isolate, v8::Handle<v8::Value> that) Line 521	C++
 	AdblockPlusEngine.exe!AdblockPlus::V8ValueHolder<v8::Value>::reset(v8::Isolate * isolate, v8::Handle<v8::Value> value) Line 55	C++
 	AdblockPlusEngine.exe!AdblockPlus::V8ValueHolder<v8::Value>::V8ValueHolder<v8::Value>(v8::Isolate * isolate, v8::Handle<v8::Value> value) Line 44	C++
 	AdblockPlusEngine.exe!AdblockPlus::JsValue::JsValue(std::shared_ptr<AdblockPlus::JsEngine> jsEngine, v8::Handle<v8::Value> value) Line 30	C++
 	AdblockPlusEngine.exe!AdblockPlus::JsValue::AsList() Line 123	C++
 	AdblockPlusEngine.exe!AdblockPlus::FilterEngine::GetElementHidingSelectors(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & domain) Line 334	C++
 	AdblockPlusEngine.exe!`anonymous namespace'::HandleRequest(Communication::InputBuffer & request) Line 115	C++
 	AdblockPlusEngine.exe!`anonymous namespace'::ClientThread(Communication::Pipe * pipe) Line 392	C++
 	AdblockPlusEngine.exe!WinMain::__l12::<lambda>() Line 514	C++
 	[External Code]	
 	AdblockPlusEngine.exe!_Call_func(void * _Data) Line 52	C++
 	AdblockPlusEngine.exe!_callthreadstartex() Line 354	C
 	AdblockPlusEngine.exe!_threadstartex(void * ptd) Line 337	C
 	[External Code]	

The code that triggered the abort is in IncreaseUses(), global-handles.cc:342. Here's the text:

  ASSERT(used_nodes_ < kSize);

The value of used_nodes_ at the time of the crash was 256. 'kSize' is a class constant defined on line 321:

  static const int kSize = 256;    

I haven't yet determined what's using up the v8 internal resource. The constructor of the libadblockplus class AdblockPlus::V8ValueHolder is the present cause of this crash. This class seems to be the only part of the non-v8 code that invokes v8::Persistent, but the class does appear in v8 itself.

comment:2 Changed 3 years ago by sergz

Summary of the problem

There's a hard limit inside v8 for the number of isolates. In a debug compile this limit is checked in an assertion that is the proximate cause for the APPCRASH.

I would like to precise that it's not a number of isolates (there is only one instance of isolate in our case), according to the code it is the number of the nodes used by the node block.
I would say, most likely we have a race condition somewhere, although it can be also a bug of current version of v8.

Note: See TracTickets for help on using tickets.