Segfault when taking heap snapshot with inspector session [Node v16, v18]

[Shiranuit]

Version

v16.17.0

Platform

Linux 5.15.0-46-generic 49~20.04.1-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

The following script causes a segmentation fault

const inspector = require('inspector');

const session = new inspector.Session();

session.connect();

session.post('HeapProfiler.enable', () => {
  session.on('HeapProfiler.addHeapSnapshotChunk', (message) => {
    console.log(message);
  });
  session.post('HeapProfiler.takeHeapSnapshot', { reportProgress: true }, (err, result) => {
    console.log(result);
  });
});

How often does it reproduce? Is there a required condition?

The bug happens every time the script is run, tested on multiple Linux machines.

What is the expected behavior?

It is expected that node logs the result of the heap snapshot

What do you see instead?

[1] 1152371 segmentation fault (core dumped) node segfault.js

Additional information

The bug seems to appear with Node v16 and is also present in Node v18, works fine with Node v14

This only happens when setting reportProgress: true flag when taking the heap snapshot with HeapProfiler.takeHeapSnapshot

Here is the stacktrace when the segfault occurs

#0  0x00000000010aabc0 in v8::internal::HeapObject::SizeFromMap(v8::internal::Map) const ()
#1  0x0000000000f0084e in v8::internal::PagedSpaceObjectIterator::Next() ()
#2  0x0000000000e95f09 in v8::internal::HeapObjectIterator::NextObject() ()
#3  0x0000000000e9f288 in v8::internal::HeapObjectIterator::Next() ()
#4  0x000000000117263f in v8::internal::V8HeapExplorer::IterateAndExtractReferences(v8::internal::HeapSnapshotGenerator*) ()
#5  0x0000000001172a98 in v8::internal::HeapSnapshotGenerator::GenerateSnapshot() ()
#6  0x00000000011643e6 in v8::internal::HeapProfiler::TakeSnapshot(v8::ActivityControl*, v8::HeapProfiler::ObjectNameResolver*, bool, bool) ()
#7  0x00000000012a0e83 in v8_inspector::V8HeapProfilerAgentImpl::takeHeapSnapshot(v8_crdtp::detail::ValueMaybe<bool>, v8_crdtp::detail::ValueMaybe<bool>, v8_crdtp::detail::ValueMaybe<bool>) ()
#8  0x0000000001513663 in v8_inspector::protocol::HeapProfiler::DomainDispatcherImpl::takeHeapSnapshot(v8_crdtp::Dispatchable const&) ()
#9  0x00000000012e390b in v8_crdtp::UberDispatcher::DispatchResult::Run() ()
#10 0x00000000012abd30 in v8_inspector::V8InspectorSessionImpl::dispatchProtocolMessage(v8_inspector::StringView) ()
#11 0x0000000000bf8b91 in node::inspector::(anonymous namespace)::SameThreadInspectorSession::Dispatch(v8_inspector::StringView const&) ()
#12 0x0000000000c0c2c4 in node::inspector::(anonymous namespace)::JSBindingsConnection<node::inspector::(anonymous namespace)::LocalConnection>::Dispatch(v8::FunctionCallbackInfo<v8::Value> const&) ()
#13 0x0000000000d396ae in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) ()
#14 0x0000000000d3aacf in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) ()
#15 0x00000000015d5519 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit ()
#16 0x0000000001567eea in Builtins_InterpreterEntryTrampoline ()
#17 0x00003b2663901599 in ?? ()
#18 0x00000b9a9e8c92c9 in ?? ()
#19 0x0000000600000000 in ?? ()
#20 0x00003b2663901669 in ?? ()
#21 0x00003cb6c3588209 in ?? ()
#22 0x00003cb6c35885b9 in ?? ()
#23 0x0000000300000000 in ?? ()
#24 0x00003cb6c35885b9 in ?? ()
#25 0x00003cb6c3588209 in ?? ()
#26 0x00000b9a9e8c92c9 in ?? ()
#27 0x00003cb6c3588509 in ?? ()
#28 0x0000000200000000 in ?? ()
#29 0x000000e500000000 in ?? ()
#30 0x0000305e9a6ebd59 in ?? ()
#31 0x0000000000000003 in ?? ()
#32 0x00003cb6c3587471 in ?? ()
#33 0x00003cb6c3585701 in ?? ()
#34 0x00007fffffffc338 in ?? ()
#35 0x0000000001567eea in Builtins_InterpreterEntryTrampoline ()
#36 0x00003cb6c3587c09 in ?? ()
#37 0x0000305e9a6e2c49 in ?? ()
#38 0x00003cb6c3588481 in ?? ()
#39 0x00003cb6c35884d1 in ?? ()
#40 0x00003cb6c35884d1 in ?? ()
#41 0x00003cb6c3588481 in ?? ()
#42 0x0000305e9a6e2c49 in ?? ()
#43 0x00003cb6c3587c09 in ?? ()
#44 0x00003cb6c3587471 in ?? ()
#45 0x0000006400000000 in ?? ()
#46 0x0000305e9a6ec799 in ?? ()
#47 0x0000000000000002 in ?? ()
#48 0x00003cb6c3588229 in ?? ()
#49 0x00003cb6c35856d9 in ?? ()
#50 0x00007fffffffc3c0 in ?? ()
#51 0x0000000001567eea in Builtins_InterpreterEntryTrampoline ()
#52 0x000029e82db01119 in ?? ()

[theanarkh]

I can reproduce it on MacOS. It seems the crash is triggered by reportProgress: true. false is ok.

[bnoordhuis]

Known issue, it's mentioned in test/parallel/test-inspector-heap-allocation-tracker.js. The problem is that you can't call into JS during heap snapshotting but that's exactly what { reportProgress: true } does.

[legendecas]

This is not related to the startup snapshot. I'm untagging it with snapshot Issues and PRs related to the startup snapshot .