Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

V8 lateral 3.28 update #9185

Closed
wants to merge 4 commits into from
Closed

V8 lateral 3.28 update #9185

wants to merge 4 commits into from

Conversation

trevnorris
Copy link

3.28.73 was actually from an unstable branch of V8. This reverts those changes to the actual latest stable 3.28. The reason for this is because of an edge case IC Miss that is causing a specific case to abort (see #9181 (comment))

I'm not sure if we want to re-enable handle zapping or not.

R=@tjfontaine @misterdjules

trevnorris and others added 3 commits February 18, 2015 13:15
The 3.28.73 update was technically unstable code. This reverts the code
to the latest 3.28 stable release.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: #8476
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: #8476
@trevnorris
Copy link
Author

@richardlau Thanks. Taken care of.

@@ -150,7 +146,7 @@
'Map, instance_size, int, kInstanceSizeOffset',
'Map, bit_field, char, kBitFieldOffset',
'Map, bit_field2, char, kBitField2Offset',
'Map, bit_field3, int, kBitField3Offset',
'Map, bit_field3, SMI, kBitField3Offset',

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4312f8d changed bit_field3 to be an int instead of an SMI, so that mdb_v8 can actually inspect its value and determine the correct type depending on which V8 version is used. We'll need to keep this field as an int to keep mdb_v8 working.

Bugs fixed:

* v0.12 and later: in-object properties not printing correctly.
* 64-bit: not printing external strings correctly (offset was hardcoded
for 32-bit). This would happen with "::jsstack -vn0" because the
script "node.js" wasn't printed correctly, at least with 0.10 core
files.
* 64-bit: printing JS source (via "::jsstack -v") emits errors and shows
the wrong code.
* Several build warnings.
* Two-byte strings are unnecessarily truncated.
* Could print friendlier note when given obviously bogus function token
positions.

New features:

* ::jsstack prints much cleaner output by default.
* ::jsprint keys are now quoted.
* ::jsstack -v includes "this" value for each function on the stack.
* ::jsstack -v includes more details about each argument (constructor
names for each object).
* new commands: ::jsconstructor, ::jsfunctions, ::jssource, ::nodebuffer
and ::v8internal.
* ::findjsobjects and ::jsprint hidden flags for developers to measure
and improve test coverage.
* internal jsobj_properties() function is much better documented.

Reviewed-By: Timothy J Fontaine <tjfontaine@gmail.com>

Conflicts:
	deps/mdb_v8/mdb_v8.c
	test/pummel/test-postmortem-details.js
@misterdjules
Copy link

@trevnorris
Copy link
Author

#9113 unfortunately is not fixed by this. Still investigating the others.

@trevnorris
Copy link
Author

This also doesn't help #9084. Don't have the energy today, but may do a bisect of V8 versions until I can find the one that seems to have broken so many things.

@trevnorris
Copy link
Author

Bisected one of the issues down: #9084 (comment)

@misterdjules
Copy link

@trevnorris Just FYI, I asked @piranna to test this PR with NodeOS. It will be interesting to know if it fixes this use case.

@@ -35,7 +35,6 @@ namespace std {
int signbit(double x);
}
# endif
#include <alloca.h>

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This had been added by floating a patch that fixes build issues on SmartOS. In the meantime, I believe most of the changes from this patch except the inclusion of the alloca.h header on Solaris derivatives have been upstreamed.

Floating this patch again would solve this build issue on SmartOS: http://jenkins.nodejs.org/job/node-test-commit-unix/DESTCPU=ia32,label=smartos/13/console.

We should however probably upstream it too.

@misterdjules
Copy link

@trevnorris It seems we're also missing another floating patch.

@misterdjules
Copy link

@trevnorris There's also a build error on one of the OS X Jenkins agent. I tried to reproduce it on my local OS X setup without success.

@piranna
Copy link

piranna commented Feb 24, 2015

Ok, I've checked NodeOS 32 bits with the commit ac21a53 and it's not working, so seems it's not fixed, sorry... :-(

@misterdjules
Copy link

Pasting my comment in #9097 (comment) here to provide some context:

The commit you would want to test though is d6249d0, and it requires the other commits here: https://github.com/joyent/node/pull/9185/commits.

ac21a53 in itself wouldn't solve the issue with NodeOS, as it only brings bug fixes and new features to mdb_v8, which is a library that helps mdb to inspect node processes.

Do you have some time to try these commits?

@piranna
Copy link

piranna commented Feb 25, 2015

According to git tree the commits are chained. I've tested with the different ones and didn't work, so I assume that no, the don't fix my problem with NodeOS :-(

@misterdjules
Copy link

@piranna Yes, if you did a git checkout ac21a53 after fetching joyent/node, then you tested the right set of changes.

I had interpreted your previous message as if you had specifically cherry-picked ac21a53, sorry for the confusion, and thank you again for your help!

@piranna
Copy link

piranna commented Feb 25, 2015

Yes, that's exactly what I did :-) git cherry-pick is a somewhat advanced command compared to git checkout, so it would be a little bit insane to test it this way, isn't it? ;-)

@misterdjules
Copy link

@trevnorris I've never used what is provided by handle zapping before. If I understand correctly, that helps when investigating crashes/bugs because handles removed from the handles scope have a very specific value that is easily recognizable.

I don't know what the impact on performance for removing that is (my understanding is that it could improve performance), and I don't know how useful it is for release builds.

@joyent/node-coreteam @indutny @bnoordhuis What do you think?

@@ -1,82 +0,0 @@
*.a

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you know why has the .gitignore file been removed by this downgrade?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because cp doesn't copy .* from the dir. it can be reverted if it's an issue.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the less changes we have from upstream the better, even though in this case it has no impact on functionality, so I would say that we'd like to put it back in.

@misterdjules
Copy link

@trevnorris Finally had some time to do a full review. Aside from the comments I added, I'm not familiar enough with V8's implementation to have a very valid opinion, but if that's what's the V8 team recommends, what are the next steps to land this?

@trevnorris
Copy link
Author

It's been so long I can't remember if it was the V8 team specifically that recommended this be done. It was more because the current version of V8 in Node isn't an actual stable release.

This will have to be rebased, and the changes you commented on will have to be made.

@misterdjules
Copy link

@trevnorris Someone from the V8 team recommended this version here: #9241.

@trevnorris Do you have the time to do what needs to be done to land this (rebasing + floating some of the missing patches again)?

@trevnorris
Copy link
Author

@misterdjules sorry, i'm on site at Intuit for the week. I could work on this next Wednesday.

@bnoordhuis
Copy link
Member

I've never used what is provided by handle zapping before. If I understand correctly, that helps when investigating crashes/bugs because handles removed from the handles scope have a very specific value that is easily recognizable.

I don't know what the impact on performance for removing that is (my understanding is that it could improve performance), and I don't know how useful it is for release builds.

You would normally turn off handle zapping in release builds and turn it on in debug builds or nightlies.

By the way, you should do this upgrade sooner rather than later. 3.28.73 has a couple of memory corruption bugs that may be remotely exploitable and I think it also has that security bug where new Function(...) is vulnerable to arbitrary JS code execution.

There are probably more security patches that you have to back-port from newer releases, what with 3.28 not being maintained. I'm fairly sure there were fixes in 3.29, 3.30 and 3.31 that haven't been applied to 3.28.

@misterdjules
Copy link

@bnoordhuis Thank you for the feedback! Is there a resource somewhere where some information about V8's security issues/bugs can be found? I looked at v8-users and v8-dev but didn't find anything. /cc @jakobkummerow.

@bnoordhuis
Copy link
Member

I don't believe there is anything like a v8-security mailing list. I just track V8 development and keep an eye out for patches that look like security fixes.

@jakobkummerow
Copy link

Right. If you use the tip of a supported branch, you don't have to worry about anything. If you insist on using an outdated, unsupported branch, you can watch what we merge back to still-supported branches. If it fixes code that's already present in your branch, you'll want the patch too.

Re handle zapping, as @bnoordhuis said, it flushes out bugs but has a performance penalty. It should be turned off in production. It can be helpful for developing changes either within V8 or in the embedder -- basically anything that uses HandleScopes.

@misterdjules
Copy link

@bnoordhuis Thanks!

@jakobkummerow Thank you for your feedback too! Regarding V8's branches and tags: I use this application to determine what the current V8 stable is: https://omahaproxy.appspot.com. Today, it seems that the current stable V8 is 4.2.77.14.

In my clone of V8's github mirror repository, I can see the corresponding tag, and it seems that it corresponds to this commit: v8/v8@d7f25f5.

However this commit doesn't seem to be on the 4.2.77 branch, but on the master branch. What branch(es) should I watch to know about changes that land in stable versions?

@misterdjules
Copy link

@trevnorris The commit message for ac21a53 seems to include too many things. Something like mdb_v8: fix dictionary properties access seems to represent more what this change does.

There's an issue to upstream part of that change here: #9147.

I also wonder why we have two different symbols prop_type_mask and fieldindex_mask for the same value (PropertyDetails::FieldIndexField::kMask). Same for PropertyDetails::FieldIndexField::kShift. @indutny @trevnorris @davepacheco Are they duplicates?

@jakobkummerow
Copy link

@misterdjules Close :-)

4.2.77.14 is the version of V8 shipped in the latest stable Chrome (and a reasonable approximation of what you want to ship). The actual latest V8 version on the 4.2 branch is at https://chromium.googlesource.com/v8/v8.git/+/branch-heads/4.2. As of this writing the branch's tip is 4.2.77.15, one back-merge ahead of what Chrome ships -- the next Chrome update will pick it up. This is the authoritative source of the branch that you'll want to watch.

Note how the tag you found on github says "Merged d7f25f5" -- so yeah, d7f25f5 is indeed a master commit that was merged to the 4.2 branch. The merge commit is e65bd3efa19fb96186900ea88809a78347bf23aa (you can find this hash a little further down on the page).
Also note that the branch you/we care about is called "4.2", not "4.2.77". GitHub doesn't show it as a branch; that's an artifact of the mirroring process.

@piranna
Copy link

piranna commented Apr 16, 2015

4.2.77.14 is the version of V8 shipped in the latest stable Chrome (and a reasonable approximation of what you want to ship). The actual latest V8 version on the 4.2 branch is at https://chromium.googlesource.com/v8/v8.git/+/branch-heads/4.2. As of this writing the branch's tip is 4.2.77.15, one back-merge ahead of what Chrome ships -- the next Chrome update will pick it up. This is the authoritative source of the branch that you'll want to watch.

Then maybe we should follow the updates and use the latest stable release, isn't it? Maybe a good aproach would be to use the same major version on the current branch, so since v0.12 ships a 3.x v8 we should use the latest 3.x v8 stable release but the 4.x on Node.js v0.13, isn't it?

@jakobkummerow
Copy link

@piranna Yes you should follow the updates and use the latest stable release, which right now is 4.2.77.15. You can see on https://chromium.googlesource.com/v8/v8.git/+/branch-heads/4.2 when the tip of the 4.2 branch updates, and you can see on omahaproxy.appspot.com when you should switch from 4.2 to 4.3. (I wonder how many more times I'll have to repeat that.)

V8 branch naming works somewhat similar to Linux kernel versions:

  • 3.29 -> 3.30 -> 4.1 -> 4.2 -> 4.3 -> ... happens predictably every six weeks, and every one of those branches, a while after having been created, becomes the stable branch you should update to.
  • 3.x -> 4.x -> 5.x happens irregularly every couple of years when we feel like it, and is just naming. There's absolutely no reason to stick with "the latest stable 3.x release" -- this concept has no meaning. Today, 3.30 is just as outdated and unsupported as 4.1 is.

@piranna
Copy link

piranna commented Apr 16, 2015

I was not asking to do it myself, I don't have enough Node.js internals to do so, but instead about the path Node.js dev should follow. According to your message, they should release the latest and greatest release of v8, similar to what seems io.js is currently doing, isn't it? 👍 to this.

@misterdjules
Copy link

@trevnorris @joyent/node-coreteam Created #18206 to continue this work.

@piranna
Copy link

piranna commented Apr 22, 2015

Do you suggest we test against that brach to see if it works for us (for
example on NodeOS?
El 22/04/2015 06:18, "Julien Gilli" notifications@github.com escribió:

@trevnorris https://github.com/trevnorris @joyent/node-coreteam
https://github.com/orgs/joyent/teams/node-coreteam Created #18206
#18206 to continue this work.


Reply to this email directly or view it on GitHub
#9185 (comment).

@misterdjules
Copy link

@piranna No, unfortunately there's no reason that the PR at #18206 would fix issues with NodeOS if this one does not, but thank you very much for asking! 👍

@misterdjules
Copy link

@trevnorris Closing this one in favor of #18206 to avoid confusion, but of course let me know if we should keep it open. Thanks!

@misterdjules
Copy link

@jakobkummerow Thank you very much for the clarification on the branching model, I will use https://chromium.googlesource.com/v8/v8.git/ from now on, since it seems to have all the information I need contrary to the GitHub mirror.

Also, to clarify why the current V8 version in Node.js is outdated: I don't think anyone "insist[s] on using an outdated, unsupported branch". We would use the latest and greatest if we could and are very much aware that the differences between V8's release cycle and Node.js' release cycle make this difficult. We are working on solving that problem. However, this is not the only problem we need to solve. It takes time and our time is limited.

I hope you'll be happy to hear that you won't have to repeat yourself :)

Thank you!

@piranna
Copy link

piranna commented Apr 22, 2015

You are welcome :-)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants