Abort during Object.keys after vm.runInContext #22723

cxreg · 2018-09-06T04:35:21Z

This occurs in both master and v10.x-staging but didn't repro in 10.9.0

./node -e 'let test = { not: "empty" }; vm.createContext(test); Object.keys(vm.runInContext("this", test))'


#
# Fatal error in , line 0
# Check failed: element->ToUint32(&number).
#
#
#
#FailureMessage Object: 0x7ffdaccc1b20Illegal instruction

Here's the llnode backtrace:

 * thread #1: tid = 15265, 0x00007fffef24ce49 node`v8::base::OS::Abort() + 9, name = 'node', stop reason = signal SIGILL: illegal instruction operand
  * frame #0: 0x00007fffef24ce49 node`v8::base::OS::Abort() + 9
    frame #1: 0x00007fffef24901a node`V8_Fatal(char const*, int, char const*, ...) + 362
    frame #2: 0x00007fffeeb45ce3 node`v8::internal::(anonymous namespace)::CollectInterceptorKeysInternal(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::InterceptorInfo>, v8::internal::KeyAccumulator*, v8::internal::(anonymous namespace)::IndexedOrNamed) + 1507
    frame #3: 0x00007fffeeb475f1 node`v8::internal::KeyAccumulator::CollectOwnElementIndices(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>) + 305
    frame #4: 0x00007fffeeb489b2 node`v8::internal::KeyAccumulator::CollectOwnKeys(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSObject>) + 274
    frame #5: 0x00007fffeeb496b5 node`v8::internal::KeyAccumulator::CollectKeys(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::Handle<v8::internal::JSReceiver>) + 69
    frame #6: 0x00007fffeeb499e6 node`v8::internal::KeyAccumulator::GetKeys(v8::internal::Handle<v8::internal::JSReceiver>, v8::internal::KeyCollectionMode, v8::internal::PropertyFilter, v8::internal::GetKeysConversion, bool, bool) + 166
    frame #7: 0x00007fffeed14d1f node`v8::internal::Runtime_ObjectKeys(int, v8::internal::Object**, v8::internal::Isolate*) + 143
    frame #8: 0x000006d8132dc01d <exit>
    frame #9: 0x000006d81331f255 keys(this=0x00002de71e2045d1:<function: Object at (no script)>, 0x00002a3391b027d9:<Global proxy>) at (no script) fn=0x00002de71e205139
    frame #10: 0x000006d8132918b5 (anonymous)(this=0x00000be72f61a8f1:<Global proxy>) at repl:1:0 fn=0x0000047a28af6aa1
    frame #11: 0x000006d81328ee55 <internal>
    frame #12: 0x000006d813289521 <entry>
    frame #13: 0x00007fffeea0e540 node`v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 272
    frame #14: 0x00007fffee681d28 node`v8::Script::Run(v8::Local<v8::Context>) + 536
    frame #15: 0x00007fffee466ddc node`node::contextify::ContextifyScript::EvalMachine(node::Environment*, long, bool, bool, v8::FunctionCallbackInfo<v8::Value> const&) + 1036
    frame #16: 0x00007fffee467127 node`node::contextify::ContextifyScript::RunInThisContext(v8::FunctionCallbackInfo<v8::Value> const&) + 343
    frame #17: 0x00007fffee6ea4c2 node`v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) + 530
    frame #18: 0x00007fffee6eb069 node`v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) + 185
    frame #19: 0x000006d8132dc01d <exit>
    frame #20: 0x000006d8132918b5 runInThisContext(this=0x00002a3391b022e1:<Object: ContextifyScript>, 0x00002a3391b02399:<Object: Object>) at vm.js:91:19 fn=0x0000083ade3c0761
    frame #21: 0x000006d8132918b5 defaultEval(this=0x00001241ac282201:<Object: REPLServer>, 0x00002a3391b02409:<String: "let test = { not...">, 0x00000be72f61a8f1:<Global proxy>, 0x00002de71e231309:<String: "repl">, 0x00002a3391b02481:<function: finish at repl.js:629:20>) at repl.js:227:23 fn=0x00001241ac282309
    frame #22: 0x000006d8132918b5 bound(this=0x00003a32c6b826f1:<undefined>, 0x00001241ac282201:<Object: REPLServer>, 0x00001241ac282461:<Object: EventEmitter>, 0x00001241ac282309:<function: defaultEval at repl.js:227:23>, 0x00002a3391b024c1:<unknown>) at domain.js:391:15 fn=0x00001241ac282349
    frame #23: 0x000006d8132918b5 runBound(this=0x00001241ac282201:<Object: REPLServer>) at domain.js:408:20 fn=0x00001241ac282511
    frame #24: 0x000006d81328a5a3 <adaptor>
    frame #25: 0x000006d8132918b5 onLine(this=0x00001241ac282201:<Object: REPLServer>, 0x00002a3391b024e1:<String: "let test = { not...">) at repl.js:582:34 fn=0x00001241ac282591
    frame #26: 0x000006d8132918b5 emit(this=0x00001241ac282201:<Object: REPLServer>, 0x00003a32c6b86a51:<String: "line">) at events.js:140:44 fn=0x00002de71e2433a9
    frame #27: 0x000006d81328a5a3 <adaptor>
    frame #28: 0x000006d8132918b5 EventEmitter.emit(this=0x00001241ac282201:<Object: REPLServer>) at domain.js:431:39 fn=0x0000047a28aa74e9
    frame #29: 0x000006d81328a5a3 <adaptor>
    frame #30: 0x000006d8132918b5 Interface._onLine(this=0x00001241ac282201:<Object: REPLServer>, 0x00002a3391b024e1:<String: "let test = { not...">) at readline.js:283:39 fn=0x000016f9f5553e81
    frame #31: 0x000006d8132918b5 Interface._line(this=0x00001241ac282201:<Object: REPLServer>) at readline.js:635:37 fn=0x000016f9f5554381
    frame #32: 0x000006d8132918b5 Interface._ttyWrite(this=0x00001241ac282201:<Object: REPLServer>, 0x00000f3a729af9e1:<String: "
">, 0x00002a3391b02631:<Object: Object>) at readline.js:756:41 fn=0x000016f9f5554501
    frame #33: 0x000006d8132918b5 REPLServer.self._ttyWrite(this=0x00001241ac282201:<Object: REPLServer>, 0x00000f3a729af9e1:<String: "
">, 0x00002a3391b02631:<Object: Object>) at repl.js:693:20 fn=0x0000047a28ad4f59
    frame #34: 0x000006d8132918b5 onkeypress(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00000f3a729af9e1:<String: "
">, 0x00002a3391b02631:<Object: Object>) at readline.js:167:22 fn=0x00001241ac282639
    frame #35: 0x000006d8132918b5 emit(this=0x00001241ac2826f1:<Object: ReadStream>, 0x0000047a28ac8cc9:<String: "keypress">) at events.js:140:44 fn=0x00002de71e2433a9
    frame #36: 0x000006d81328a5a3 <adaptor>
    frame #37: 0x000006d8132918b5 EventEmitter.emit(this=0x00001241ac2826f1:<Object: ReadStream>) at domain.js:431:39 fn=0x0000047a28aa74e9
    frame #38: 0x000006d81328a5a3 <adaptor>
    frame #39: 0x000006d8132918b5 emitKeys(this=0x00003a32c6b826f1:<undefined>, 0x00003a32c6b82801:<hole>) at (external).js:166:19 fn=0x000012bdb5259ed1
    frame #40: 0x000006d813332c3b
    frame #41: 0x000006d8132918b5 onData(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>) at readline.js:1006:18 fn=0x00001241ac282859
    frame #42: 0x000006d8132918b5 emit(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00002de71e23c291:<String: "data">) at events.js:140:44 fn=0x00002de71e2433a9
    frame #43: 0x000006d81328a5a3 <adaptor>
    frame #44: 0x000006d8132918b5 EventEmitter.emit(this=0x00001241ac2826f1:<Object: ReadStream>) at domain.js:431:39 fn=0x0000047a28aa74e9
    frame #45: 0x000006d81328a5a3 <adaptor>
    frame #46: 0x000006d8132918b5 addChunk(this=0x00003a32c6b826f1:<undefined>, 0x00001241ac2826f1:<Object: ReadStream>, 0x00001241ac282899:<Object: ReadableState>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>, 0x00003a32c6b829a1:<false>) at (external).js:280:18 fn=0x000012bdb5237531
    frame #47: 0x000006d8132918b5 readableAddChunk(this=0x00003a32c6b826f1:<undefined>, 0x00001241ac2826f1:<Object: ReadStream>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>, 0x00003a32c6b826f1:<undefined>, 0x00003a32c6b829a1:<false>, 0x00003a32c6b826f1:<undefined>) at (external).js:227:26 fn=0x000012bdb52374f1
    frame #48: 0x000006d8132918b5 Readable.push(this=0x00001241ac2826f1:<Object: ReadStream>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>, 0x00003a32c6b826f1:<undefined>) at (external).js:202:35 fn=0x00000f3a729c5149
    frame #49: 0x000006d81328a5a3 <adaptor>
    frame #50: 0x000006d8132918b5 onStreamRead(this=0x00001241ac2829b9:<Object: TTY>, <Smi: 1>, 0x00002a3391b026b1:<ArrayBufferView: backingStore=0x0000555557806e80, byteOffset=0, byteLength=1>) at (external).js:87:22 fn=0x000012bdb525c879
    frame #51: 0x000006d81328ee55 <internal>
    frame #52: 0x000006d813289521 <entry>
    frame #53: 0x00007fffeea0e540 node`v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 272
    frame #54: 0x00007fffee68602f node`v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) + 415
    frame #55: 0x00007fffee433cf9 node`node::InternalMakeCallback(node::Environment*, v8::Local<v8::Object>, v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) + 441
    frame #56: 0x00007fffee3fddd6 node`node::AsyncWrap::MakeCallback(v8::Local<v8::Function>, int, v8::Local<v8::Value>*) + 134
    frame #57: 0x00007fffee4fe3f4 node`node::StreamBase::CallJSOnreadMethod(long, v8::Local<v8::Object>) + 196
    frame #58: 0x00007fffee4fe4cc node`node::EmitToJSStreamListener::OnStreamRead(long, uv_buf_t const&) + 156
    frame #59: 0x00007fffee504eb1 node`node::LibuvStreamWrap::ReadStart()::{lambda(uv_stream_s*, long, uv_buf_t const*)#2}::_FUN(uv_stream_s*, long, uv_buf_t const*) + 161
    frame #60: 0x00007fffee5a2242 node`uv__read(stream=<unavailable>) + 674 at stream.c:1257
    frame #61: 0x00007fffee5a2880 node`uv__stream_io(loop=<unavailable>, w=<unavailable>, events=<unavailable>) + 624 at stream.c:1324
    frame #62: 0x00007fffee5a8260 node`uv__io_poll(loop=<unavailable>, timeout=<unavailable>) + 976 at linux-core.c:401
    frame #63: 0x00007fffee59761b node`uv_run(loop=<unavailable>, mode=<unavailable>) + 331 at core.c:370
    frame #64: 0x00007fffee43d425 node`node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) + 1909
    frame #65: 0x00007fffee43b08a node`node::Start(int, char**) + 1386
    frame #66: 0x00007ffff6b942b1 libc.so.6`__libc_start_main + 241
    frame #67: 0x00007fffee3f4b2a node`_start + 42

The text was updated successfully, but these errors were encountered:

rvagg · 2018-09-06T04:42:02Z

looks like #22390 is to blame, reverting those commits makes it happy again.

TimothyGu · 2018-09-06T14:23:20Z

I’m okay with reverting #22390 for now, though this looks like a V8 issue. /cc @camillobruni

jasnell · 2018-09-06T14:33:11Z

Agreed. Let's revert 22390.

camillobruni · 2018-09-06T15:40:02Z

Could you rule out an issue on node side?
An oversight in one of the interceptors might easily cause this bug, we've had no issue on V8-side so far.

TimothyGu · 2018-09-06T15:45:11Z

Hmm, upon a further look this might be caused by our indexed enumerator returning non-integers. Will take a closer look.

camillobruni · 2018-09-06T19:05:22Z

thanks!

addaleax · 2018-09-12T12:24:17Z

@TimothyGu Any updates? Should we revert for now?

targos · 2018-09-12T12:44:44Z

Adding the 11.0.0 milestone so we don't release this bug by mistake

TimothyGu · 2018-09-12T14:00:50Z

@addaleax Yeah, reverting is the best idea for now.

addaleax · 2018-09-13T08:32:43Z

Potential fix in #22836 :)

This reverts commit 85c356c from PR nodejs#22390. See the discussion in the (proposed) fix at nodejs#22836. Refs: nodejs#22836 Refs: nodejs#22390 Fixes: nodejs#22723

Some of the choices here are odd, including that symbols are missing. However, that matches previous behaviour. What had to be changed was that inherited properties are no longer included; the alternative would be to also refactor the descriptor callbacks to provide data for inherited properties. Fixes: nodejs#22723 Refs: nodejs#22390

rvagg added vm Issues and PRs related to the vm subsystem. v8 engine Issues and PRs related to the V8 dependency. labels Sep 6, 2018

This was referenced Sep 6, 2018

src: implement query callbacks for vm #22390

Closed

Release proposal: v10.10.0 #22716

Merged

TimothyGu self-assigned this Sep 6, 2018

addaleax added the confirmed-bug Issues with confirmed bugs. label Sep 12, 2018

targos added this to the 11.0.0 milestone Sep 12, 2018

addaleax mentioned this issue Sep 13, 2018

src: fix vm enumerator callbacks #22836

Closed

3 tasks

addaleax mentioned this issue Sep 17, 2018

Revert "src: implement query callbacks for vm" #22911

Closed

2 tasks

addaleax closed this as completed in 8989c76 Sep 18, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Abort during Object.keys after vm.runInContext #22723

Abort during Object.keys after vm.runInContext #22723

cxreg commented Sep 6, 2018

rvagg commented Sep 6, 2018

TimothyGu commented Sep 6, 2018 •

edited

Loading

jasnell commented Sep 6, 2018

camillobruni commented Sep 6, 2018

TimothyGu commented Sep 6, 2018

camillobruni commented Sep 6, 2018

addaleax commented Sep 12, 2018

targos commented Sep 12, 2018

TimothyGu commented Sep 12, 2018

addaleax commented Sep 13, 2018

Abort during Object.keys after vm.runInContext #22723

Abort during Object.keys after vm.runInContext #22723

Comments

cxreg commented Sep 6, 2018

rvagg commented Sep 6, 2018

TimothyGu commented Sep 6, 2018 • edited Loading

jasnell commented Sep 6, 2018

camillobruni commented Sep 6, 2018

TimothyGu commented Sep 6, 2018

camillobruni commented Sep 6, 2018

addaleax commented Sep 12, 2018

targos commented Sep 12, 2018

TimothyGu commented Sep 12, 2018

addaleax commented Sep 13, 2018

TimothyGu commented Sep 6, 2018 •

edited

Loading