root->isNull() in lookup.cc

[andy-hanson]

My program works fine in version 0.11.14 but crashes in v0.11.15.
This is run through node --harmony --stack-trace-limit=100, on Linux Mint 17.

The crash that happens depends on the presence of logging statements.
The problem code (which checks the type of a value) was failing on the first line of:

    if (itsType instanceof Array) {
        assert(itsType.length === 1);
        const emType = itsType[0];
        type(instance, Array);
        instance.forEach(function (em) {
            type(em, emType);
        });
    }

with an error object is not a function. When I change it to:

    console.log(itsType)
    if (itsType instanceof Array) ...

it works just fine with no crash. When I change it to:

    if (itsType instanceof Array) {
        assert(itsType.length === 1);
        const emType = itsType[0];
        type(instance, Array);
        instance.forEach(function (em) {
            console.log(type) // !!! This line was added !!!
            type(em, emType);
        });
    }

it runs successfully many times, but eventually crashes in C++ code.

#
# Fatal error in ../deps/v8/src/lookup.cc, line 47
# CHECK(!root->IsNull()) failed
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::LookupIterator::GetRoot() const
 3: v8::internal::LookupIterator::LookupIterator(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>, v8::internal::LookupIterator::Configuration)
 4: v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>)
 5: v8::internal::LoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*)
 6: ??

To reproduce:

git clone https://github.com/andy-hanson/mason.git
cd mason
nvm use 0.11.15
npm install
./gulp ms # Fails but does not crash.
# Now enable src/meta/compile/U/type.js line 17: `console.log(type)`
./gulp ms # Crashes.

[misterdjules]

Could you please try to build the current tip of the v0.12 branch with the change in this PR: #9185? I'm interested in knowing if that PR fixes your issue.

Thank you!

[andy-hanson]

It still fails, although with a slightly different stacktrace.

#
# Fatal error in ../deps/v8/src/lookup.cc, line 47
# CHECK(!root->IsNull()) failed
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::LookupIterator::GetRoot() const
 3: v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>)
 4: v8::internal::LoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*)
 5: ??

[asafyish]

Happens to me too:

#
# Fatal error in ../deps/v8/src/lookup.cc, line 47
# CHECK(!root->IsNull()) failed
#

==== C stack trace ===============================

 1: ??
 2: ??
 3: ??
 4: ??
 5: ??
 6: ??
 7: ??
 8: ??
Illegal instruction: 4

not sure what causing it.
I am using node 0.12.2. It wasn't happening in 0.11.12.
Just noticed it doesn't happen when I run node.js in debug mode:
"--debug-brk=64457 --nolazy"

[marco-aa]

Happens to me too,

Fatal error in ../deps/v8/src/lookup.cc, line 47
CHECK(!root->IsNull()) failed

==== C stack trace ===============================

1: V8_Fatal
2: v8::internal::LookupIterator::GetRoot() const
3: v8::internal::LookupIterator::LookupIterator(v8::internal::Handlev8::internal::Object, v8::internal::Handlev8::internal::Name, v8::internal::LookupIterator::Configuration)
4: v8::internal::LoadIC::Load(v8::internal::Handlev8::internal::Object, v8::internal::Handlev8::internal::Name)
5: v8::internal::LoadIC_Miss(int, v8::internal::Object*, v8::internal::Isolate)
6: ??

For testing i removed all console.log(...) commands - no more output but still crash.
Now i try what asafyish mentioned "--debug-brk=64457 --nolazy". - i'll update if it helps

Version i use :
0.12.2-1nodesource1~wheezy1 amd64

[misterdjules]

@andy-hanson @asafyish @marco-aa Thanks for the information. Does any of you have some code that doesn't use any external dependency (just what's in node's core) with some detailed instructions on how to reproduce the problem?

[marco-aa]

Sorry misterdjules at the moment not. I had this issue at a produtive server and roled back to the old version - i'll try to reproduce it at development machine if i can without external libs. If i can manage this i'll post it here. Others feel free to do the same ;)

[asafyish]

@marco-aa Did running with "--debug-brk=64457 --nolazy" helped ?

@misterdjules I have no simple code to supply. The code involves knex(mysql) and lots of streams.

[marco-aa]

@marco-aa Did running with "--debug-brk=64457 --nolazy" helped ?
I did only one test in production - it did not help but i was under a litle stress because the server was in production and the down time didn't let me check it a 2nd time. So i'm not 100% sure. I'll try to reproduce it tomorrow

[guy4261]

I got a similar error to what @asafyish describes. When I executed my code using node debug --harmony myCode.js (typing in c+<enter> so that the code will continue running in the debugger), I ended up getting the following output:

unhandled res:{"seq":202,"request_seq":1,"type":"response","command":"scripts","success":true,"body":[{"handle":1,"type":"script","name":

... this was a very long line - I'm only showing its beginning here. I copied+pasted it into a text file and it weights 96kb!

So - what are the chances that something that weighs 96kb entered some buffer that was not big enough and ended up crashing the program? I'm not very apt in nodejs internals but I thought maybe this error (and the peculiar 96kb single-line output) may provide a clue...

Apart from that - the code finished running fine and I got my results. Fresh node 0.12.2 installation on a MacOS Yosemite 10.10.3 .

[phdunham]

Hello, I am seeing this error too. I took my app and cut it down to 50 lines that gives a "Segmentation fault: 11." I have tried to make it smaller, but when I remove any line, the error goes away.

To run: node --harmony test.js
you can get the source from: https://raw.githubusercontent.com/phdunham/public/master/test.js
My Environment:

• OS X 10.10.3 (14D136)
• iTerm 2 Build 2.1.1
• nvm 0.24.1
• node v0.12.2
• npm 2.7.4

5/26/15: only fails on node v0.12.x - works fine on v11 and io.js.

[vjpr]

+1 Same error message when attempting to connect to debug server.

[cosinusoidally]

This affects nodejs 0.12.7. Looks like it is a crankshaft bug. If you run the test in the comment by @phdunham you get a segfault after about 10000 iterations. If you run node with --no-crankshaft the bug goes away.

I did a git bisect on the upstream version of v8. It looks like the bug was introduced on 1e2d50cf3d94ff48285da107b7a9da1ad0fc873d and fixed on a668cd6fc80ea452921c94560dcb6e653976ae47 . I did get a bit mixed up with branches though. It might be worth repeating the bisect on the master branch.

Incidentally, if you take the test code above and convert it back to ES5 (replace let with var) then nodejs hangs after a random number of iterations.

[emersion]

I have the same error too. Happens when using the mpris module (which depends on dbus), and trying to call Player.OpenUri(). If you want the code to reproduce, I can post it.

#
# Fatal error in ../deps/v8/src/lookup.cc, line 47
# CHECK(!root->IsNull()) failed
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::LookupIterator::GetRoot() const
 3: v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>)
 4: v8::internal::LoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*)
 5: ??
Illegal instruction (core dumped)

[skysilence]

I got the problem too.
Error trace is similar to emersion's,I got it with v0.12.0 at first. So I changed a lot of ways to modify my func, but i got the error randomness，i can run over my script sometimes.

At last, I changed my node to V5.0 by nvm, it worked fine at the beginning, I almost think it was been sloved. But I got the error too on the third day, then it occours happened like before.

I think there is some relations with deep circle and long time wait, but i cannot sure. If someone like to resolve it, I can post my code with pleasure! Thx

[skysilence]

@misterdjules