#6252 closed defect (fixed)

Random V8 crash

Reported by: asmirnov Assignee:
Priority: P2 Milestone:
Module: Adblock-Plus-for-Chromium Keywords:
Cc: Blocked By:
Blocking: Platform: Android
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

https://gitlab.com/adblockplus/chromium/merge_requests/2

Description (last modified by asmirnov)

Environment

It happens occasionally, frequently after downloading of notifications.
September 6 Chromium revision.

How to reproduce

  1. Just use the browser and navigate to different websites
  2. See the crash happens.
10-24 16:01:48.056 13390-13638 E/v8: #
                                     # Fatal error in ../../v8/src/compiler/verifier.cc, line 72
                                     # 
10-24 16:01:48.056 13390-13638 E/v8: TypeError: node #2:HeapConstant[0x90a04185 <undefined>] type HeapConstant(0x90a04185 <undefined>) must intersect OtherInternal
10-24 16:01:48.056 13390-13638 E/v8: #
10-24 16:01:48.086 13390-13638 E/chromium: #00 0x9bb551d5 /data/app/org.chromium.chrome-1/lib/arm/libgin.cr.so+0x000161d5
                                           #01 0xafba7051 /data/app/org.chromium.chrome-1/lib/arm/libv8_libbase.cr.so+0x0000d051
                                           #02 0x9cd5f29d /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x0035529d
                                           #03 0x9cd5cbc1 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00352bc1
                                           #04 0x9cd5f333 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00355333
                                           #05 0x9cd0b951 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00301951
                                           #06 0x9cd0a331 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00300331
                                           #07 0x9cd09eab /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x002ffeab
                                           #08 0x9cc38c4d /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x0022ec4d
                                           #09 0x9cc3ad8d /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00230d8d
                                           #10 0x9cc3b705 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00231705
                                           #11 0x9d00b9cf /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x006019cf
                                           #12 0x90708923 <unknown>
10-24 16:01:48.086 13390-13638 A/libc: Fatal signal 4 (SIGILL), code 1, fault addr 0xafba958e in tid 13638 (chromium.chrome)
10-24 16:01:48.156 313-30888 I/AudioPolicyManager: getAudioPolicyConfig: audioParam;outDevice

Observed behaviour

Chromium crashes

Expected behaviour

Chromium does not crash

Attachments (2)

verifier_crash1.txt (9.0 KB) - added by asmirnov 23 months ago.
verifier_crash2.txt (7.3 KB) - added by asmirnov 23 months ago.

Download all attachments as: .zip

Change History (9)

Changed 23 months ago by asmirnov

Changed 23 months ago by asmirnov

comment:1 Changed 23 months ago by asmirnov

Symbolized stacktrace:

Searching for native crashes in: /home/antoine/crash_verifier.txt
Unknown Android release, consider passing --packed-lib.
Reading Android symbols from: /home/antoine/chromium/src
Searching for Chrome symbols from within: /home/antoine/chromium/src/out/Default/lib.unstripped:/home/antoine/chromium/src/out/Default/lib:/home/antoine/chromium/src/out/Default
Using toolchain from: /home/antoine/chromium/src/third_party/android_tools/ndk/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi-

Stack Trace:
  RELADDR   FUNCTION                                                                                                                                                                                       FILE:LINE
  000161d5  gin::(anonymous namespace)::PrintStackTrace()                                                                                                                                                  /home/antoine/chromium/src/gin/v8_platform.cc:55
  0000d051  V8_Fatal(char const*, int, char const*, ...)                                                                                                                                                   /home/antoine/chromium/src/v8/src/base/logging.cc:123
  0035529d  v8::internal::compiler::Verifier::Visitor::CheckTypeMaybe(v8::internal::compiler::Node*, v8::internal::compiler::Type*)                                                                        /home/antoine/chromium/src/v8/src/compiler/verifier.cc:72
  00352bc1  v8::internal::compiler::Verifier::Visitor::Check(v8::internal::compiler::Node*)                                                                                                                /home/antoine/chromium/src/v8/src/compiler/verifier.cc:707
  00355333  v8::internal::compiler::Verifier::Run(v8::internal::compiler::Graph*, v8::internal::compiler::Verifier::Typing, v8::internal::compiler::Verifier::CheckInputs)                                 /home/antoine/chromium/src/v8/src/compiler/verifier.cc:1501
  v------>  v8::internal::compiler::VerifyGraphPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*, bool, bool)                                                                          /home/antoine/chromium/src/v8/src/compiler/pipeline.cc:1587
  v------>  void v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::VerifyGraphPhase, bool>(bool)                                                                                           /home/antoine/chromium/src/v8/src/compiler/pipeline.cc:873
  00301951  v8::internal::compiler::PipelineImpl::RunPrintAndVerify(char const*, bool)                                                                                                                     /home/antoine/chromium/src/v8/src/compiler/pipeline.cc:1597
  00300331  v8::internal::compiler::PipelineImpl::CreateGraph()                                                                                                                                            /home/antoine/chromium/src/v8/src/compiler/pipeline.cc:1650
  002ffeab  v8::internal::compiler::PipelineCompilationJob::PrepareJobImpl()                                                                                                                               /home/antoine/chromium/src/v8/src/compiler/pipeline.cc:649
  0022ec4d  v8::internal::CompilationJob::PrepareJob()                                                                                                                                                     /home/antoine/chromium/src/v8/src/compiler.cc:101
  v------>  v8::internal::(anonymous namespace)::GetOptimizedCodeLater(v8::internal::CompilationJob*)                                                                                                      /home/antoine/chromium/src/v8/src/compiler.cc:584
  00230d8d  v8::internal::(anonymous namespace)::GetOptimizedCode(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::ConcurrencyMode, v8::internal::BailoutId, v8::internal::JavaScriptFrame*)  /home/antoine/chromium/src/v8/src/compiler.cc:680
  00231705  v8::internal::Compiler::CompileOptimized(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::ConcurrencyMode)                                                                        /home/antoine/chromium/src/v8/src/compiler.cc:971
  006019cf  v8::internal::__RT_impl_Runtime_CompileOptimized_Concurrent(v8::internal::Arguments, v8::internal::Isolate*)                                                                                   /home/antoine/chromium/src/v8/src/runtime/runtime-compiler.cc:53

-----------------------------------------------------

signal 4 (SIGILL), code 1, fault addr 0xafba958e in tid 13638 (chromium.chrome)

comment:2 Changed 23 months ago by asmirnov

  • Description modified (diff)

comment:3 Changed 23 months ago by asmirnov

Does not happen for November 17 revision (and seems to be V8 issue).

Last edited 23 months ago by asmirnov (previous) (diff)

comment:4 Changed 22 months ago by asmirnov

still happens in September 6 fork (forked from f7f2f63629747df4e59c6b63e02f9b02c518b33f):

02-02 15:54:15.261 4130-5856 E/v8: #
                                   # Fatal error in ../../v8/src/compiler/verifier.cc, line 72
                                   # 
02-02 15:54:15.261 4130-5856 E/v8: TypeError: node #2:HeapConstant[0x47c84185 <undefined>] type HeapConstant(0x47c84185 <undefined>) must intersect OtherInternal
02-02 15:54:15.261 4130-5856 E/v8: #
02-02 15:54:15.321 4130-5856 E/chromium: #00 0xcd2de1d5 /data/app/org.chromium.chrome-1/lib/arm/libgin.cr.so+0x000161d5
                                         #01 0xde61c051 /data/app/org.chromium.chrome-1/lib/arm/libv8_libbase.cr.so+0x0000d051
                                         #02 0xcdc8429d /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x0035529d
                                         #03 0xcdc81bc1 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00352bc1
                                         #04 0xcdc84333 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00355333
                                         #05 0xcdc30951 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00301951
                                         #06 0xcdc2f331 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00300331
                                         #07 0xcdc2eeab /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x002ffeab
                                         #08 0xcdb5dc4d /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x0022ec4d
                                         #09 0xcdb5fd8d /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00230d8d
                                         #10 0xcdb60705 /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x00231705
                                         #11 0xcdf309cf /data/app/org.chromium.chrome-1/lib/arm/libv8.cr.so+0x006019cf
                                         #12 0x52588923 <unknown>
                                         
                                         
                                         --------- beginning of crash
02-02 15:54:15.321 4130-5856 A/libc: Fatal signal 4 (SIGILL), code 1, fault addr 0xde61e58e in tid 5856 (chromium.chrome)
                                     
                                     [ 02-02 15:54:15.323   422:  422 W/         ]
                                     debuggerd: handling request: pid=4130 uid=10235 gid=10235 tid=5856
02-02 15:54:15.457 5857-5857 A/DEBUG: *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
02-02 15:54:15.457 5857-5857 A/DEBUG: Build fingerprint: 'ZTE/P840F10_RU/ZTE_BLADE_V0800:7.0/NRD90M/20170906.095203:user/release-keys'
02-02 15:54:15.457 5857-5857 A/DEBUG: Revision: '0'
02-02 15:54:15.457 5857-5857 A/DEBUG: ABI: 'arm'
02-02 15:54:15.457 5857-5857 A/DEBUG: pid: 4130, tid: 5856, name: chromium.chrome  >>> org.chromium.chrome <<<
02-02 15:54:15.458 5857-5857 A/DEBUG: signal 4 (SIGILL), code 1 (ILL_ILLOPC), fault addr 0xde61e58e
02-02 15:54:15.458 5857-5857 A/DEBUG:     r0 00000001  r1 00004001  r2 00000000  r3 000016e0
02-02 15:54:15.458 5857-5857 A/DEBUG:     r4 ce12ec2a  r5 00000048  r6 ce1630c6  r7 ec30e7c4
02-02 15:54:15.458 5857-5857 A/DEBUG:     r8 de57ece4  r9 bfdaa2bc  sl 0001ffff  fp de57ee08
02-02 15:54:15.458 5857-5857 A/DEBUG:     ip de627e08  sp de57ecc0  lr de61c063  pc de61e58e  cpsr 800d0030
02-02 15:54:15.460 5857-5857 A/DEBUG: backtrace:
02-02 15:54:15.461 5857-5857 A/DEBUG:     #00 pc 0000f58e  /data/app/org.chromium.chrome-1/lib/arm/libv8_libbase.cr.so (_ZN2v84base2OS5AbortEv+13)
02-02 15:54:15.461 5857-5857 A/DEBUG:     #01 pc 000fccd8  <anonymous:de482000>
Last edited 22 months ago by asmirnov (previous) (diff)

comment:5 Changed 22 months ago by asmirnov

Seems not to happen in Chromium 64.0.3249.2 with updated v8 (6.4.102).

comment:6 Changed 22 months ago by asmirnov

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:7 Changed 21 months ago by asmirnov

  • Resolution set to fixed
  • Status changed from reviewing to closed
Note: See TracTickets for help on using tickets.