SEGFAULT in v8::internal::FixedArrayBase::length when calling V8::C::Object::New()

[ignisf]

This issue arises on ARMv7.

Test:

require 'v8'
o = V8::C::Object::New()

Backtrace:

Starting program: /usr/bin/ruby test.rb --logging
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
[New Thread 0xb6ffa460 (LWP 15677)]
[New Thread 0xb6252460 (LWP 15678)]

Program received signal SIGSEGV, Segmentation fault.
0xb65fc1ca in v8::internal::FixedArrayBase::length (this=0x0) at ../src/objects-inl.h:2464
2464    SMI_ACCESSORS(FixedArrayBase, length, kLengthOffset)
#0  0xb65fc1ca in v8::internal::FixedArrayBase::length (this=0x0) at ../src/objects-inl.h:2464
        value = 0x6c796765
#1  0xb65fb706 in v8::internal::FixedArray::get (this=0x0, index=3) at ../src/objects-inl.h:1785
No locals.
#2  0xb65f84fc in v8::internal::Context::global_object (this=0x0) at ../src/contexts.h:333
        result = 0x5
#3  0xb662f4b2 in v8::internal::Context::native_context (this=0x0) at ../src/contexts.cc:71
        current = 0x2f1d00
#4  0xb65f90aa in v8::internal::Isolate::object_function (this=0x2f1d00) at ../src/isolate.h:818
No locals.
#5  0xb65f19ba in v8::Object::New () at ../src/api.cc:5013
        isolate = 0x2f1d00
        __state__ = {<v8::internal::Embedded> = {<No data fields>}, isolate_ = 0x2f1d00, previous_tag_ = v8::internal::EXTERNAL}
        obj = {location_ = 0x0}
#6  0xb65dcfc0 in rr::Object::New (self=<optimized out>) at object.cc:69
No locals.
#7  0xb6f622f2 in ?? () from /usr/lib/libruby-1.9.1.so.1.9
No symbol table info available.

[ignisf]

Here's how this looks from Ruby's point of view: https://gist.github.com/ignisf/f2bf6ca540938c1a8072

[ignisf]

This might not be an ARM-specific issue, see rubyjs/therubyracer#310

[ignisf]

Same issue under a Debian Daily image on an x86 system:

Starting program: /usr/bin/ruby test.rb
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
[New Thread 0xb7fd9b40 (LWP 4941)]
[New Thread 0xb6c95b40 (LWP 4942)]

Program received signal SIGSEGV, Segmentation fault.
0xb7225a69 in v8::internal::FixedArrayBase::length (this=0x0)
    at ../src/objects-inl.h:2464
2464    SMI_ACCESSORS(FixedArrayBase, length, kLengthOffset)
#0  0xb7225a69 in v8::internal::FixedArrayBase::length (this=0x0)
    at ../src/objects-inl.h:2464
        value = 0x0
#1  0xb72250d5 in v8::internal::FixedArray::get (this=0x0, index=3)
    at ../src/objects-inl.h:1785
No locals.
#2  0xb7221e4d in v8::internal::Context::global_object (this=0x0)
    at ../src/contexts.h:333
        result = 0xb76e0a00 <v8::internal::Snapshot::data_>
#3  0xb725e0c1 in v8::internal::Context::native_context (this=0x0)
    at ../src/contexts.cc:71
        current = 0xb722b2b9 <v8::internal::VMState::VMState(v8::internal::Isolate*, v8::internal::StateTag)+295>
#4  0xb722276f in v8::internal::Isolate::object_function (this=0x834eee8)
    at ../src/isolate.h:818
No locals.
#5  0xb721a3a3 in v8::Object::New () at ../src/api.cc:5013
        isolate = 0x834eee8
        __state__ = {<v8::internal::Embedded> = {<No data fields>}, 
          isolate_ = 0x834eee8, previous_tag_ = v8::internal::EXTERNAL}
        obj = {location_ = 0x804bbc8}
#6  0xb71faa08 in rr::Object::New (self=137614380) at object.cc:69
No locals.
#7  0xb7e89ecb in ?? () from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#8  0xb7e8ed2e in ?? () from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#9  0xb7e9e690 in ?? () from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#10 0xb7e964c1 in ?? () from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#11 0xb7e9b550 in ?? () from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#12 0xb7e9d150 in rb_iseq_eval_main ()
   from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#13 0xb7d8e725 in ?? () from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#14 0xb7d90112 in ruby_exec_node ()
   from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#15 0xb7d91ebf in ruby_run_node ()
   from /usr/lib/i386-linux-gnu/libruby-2.1.so.2.1
No symbol table info available.
#16 0x080486ae in ?? ()
No symbol table info available.
#17 0xb7a75a63 in __libc_start_main (main=0x8048650, argc=2, argv=0xbffffdc4, 
    init=0x80487b0 <__libc_csu_init>, fini=0x8048820 <__libc_csu_fini>, 
    rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffffdbc) at libc-start.c:287
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {-1212141568, 0, 0, 0, 
                632851170, -1795772686}, mask_was_saved = 0}}, priv = {pad = {
              0x0, 0x0, 0x2, 0x80486bc <_start>}, data = {prev = 0x0, 
              cleanup = 0x0, canceltype = 2}}}
        not_first_call = <optimized out>
#18 0x080486dd in _start ()
No symbol table info available.
A debugging session is active.

[ignisf]

@cowboyd, we need somebody more knowledgeable in debugging C++ to handle this one

[georgyangelov]

Also verified on Debian 7 x86 and x86_64. This seems to be happening when an object is created without a HandleScope and Context, and instead of giving an error message it simply crashes.

This segfault is also happening in therubyracer's specs due to a monkey patch that doesn't work anymore (rubyjs/therubyracer#333).

To be clear, IMO this is just an erroneous way of creating an object and not an actual bug. Unless you count the no-error-message crash as bug, which I agree with, but should not be an issue for this project.

Working test:

require 'v8'

V8::C::HandleScope() do
  template = V8::C::ObjectTemplate.New()
  context = V8::C::Context.New(nil, template)
  context.Enter

  p V8::C::Object.New()
end

[ignisf]

awesome!