Node: V8_Fatal exception when running "jest" tests

Created on 20 Jun 2017  路  10Comments  路  Source: nodejs/node
  • Version: v9.0.0-pre (d3c668cea)
  • Platform: macos 10.12 (16.6.0 Darwin Kernel Version 16.6.0: Fri Apr 14 16:21:16 PDT 2017; root:xnu-3789.60.24~6/RELEASE_X86_64 x86_64 i386 MacBookPro13,3 Darwin)
  • Subsystem: v8, possibly vm

Repository for reproducing the error: https://github.com/jgoz/node-jest-failure

Command executed:

$ path/to/out/Debug/node ./node_modules/.bin/jest

When executing jest tests with node at d3c668cea, a V8_Fatal exception is thrown before the tests can even begin. The following stack trace is produced:

#
# Fatal error in ../deps/v8/src/objects-inl.h, line 1955
# Check failed: has_named_interceptor().
#

==== C stack trace ===============================

    0   node                                0x0000000101c01c2e v8::base::debug::StackTrace::StackTrace() + 30
    1   node                                0x0000000101c01c65 v8::base::debug::StackTrace::StackTrace() + 21
    2   node                                0x0000000101a51627 v8::platform::(anonymous namespace)::PrintStackTrace() + 23
    3   node                                0x0000000101bfbdfd V8_Fatal + 445
    4   node                                0x00000001011c0a31 v8::internal::Map::GetNamedInterceptor() + 81
    5   node                                0x00000001011abfad v8::internal::JSObject::GetNamedInterceptor() + 29
    6   node                                0x00000001011be0dc v8::internal::__RT_impl_Runtime_LoadPropertyWithInterceptor(v8::internal::Arguments, v8::internal::Isolate*) + 716
    7   node                                0x00000001011bdcb0 v8::internal::Runtime_LoadPropertyWithInterceptor(int, v8::internal::Object**, v8::internal::Isolate*) + 272
    8   ???                                 0x00002c5ab4184264 0x0 + 48768080167524
Received signal 4 <unknown> 000101c05971
[1]    31361 illegal hardware instruction  ../node/out/Debug/node ./node_modules/.bin/jest

Note that this error _does not_ occur in 8.1.2, so the behaviour was a fairly recent change. Possibly a V8 update? It looks like V8 was upgraded from 5.8 to 5.9 between 8.1.2 and master.

Jest uses vm heavily internally, which is why I guessed that the issue was in that subsystem, but I'm not sure.

V8 Engine vm
Source
picture jgoz

Most helpful comment

Here's the fix: https://chromium.googlesource.com/v8/v8.git/+/6cb999b97b7953ebfd4aabf2e1f62bf405f21c69

picture isheludko on 6 Jul 2017
🎉3 👍2

All 10 comments

/cc @nodejs/v8

mscdex picture mscdex on 20 Jun 2017

/cc @fhinkel

bmeurer picture bmeurer on 20 Jun 2017

I have a similar issue with canary. Reported it here: https://bugs.chromium.org/p/v8/issues/detail?id=6490

targos picture targos on 27 Jun 2017

Load property with interceptor sounds like it's coming from the vm module. I can look into it, but probably won't get to it until later next week.

fhinkel picture fhinkel on 27 Jun 2017

With V8 6.0 I have the same issue as canary:

$ node-v8-60/out/Debug/node run.js 

 RUNS  ./test.js


#
# Fatal error in ../deps/v8/src/ic/ic.cc, line 879
# Check failed: NameDictionary::kNotFound != number (-1 vs. -1).
#

==== C stack trace ===============================

    node-v8-60/out/Debug/node(v8::base::debug::StackTrace::StackTrace()+0x1d) [0x2a5c347]
    node-v8-60/out/Debug/node() [0x28f88d1]
    node-v8-60/out/Debug/node(V8_Fatal+0xff) [0x2a58f00]
    node-v8-60/out/Debug/node() [0x22b2bf8]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::LoadFromPrototype(v8::internal::Handle<v8::internal::Map>, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Name>, v8::internal::Handle<v8::internal::Smi>)+0x280) [0x22b2ef4]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::GetMapIndependentHandler(v8::internal::LookupIterator*)+0x690) [0x22b457a]
    node-v8-60/out/Debug/node(v8::internal::IC::ComputeHandler(v8::internal::LookupIterator*)+0x31) [0x22b3c17]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::UpdateCaches(v8::internal::LookupIterator*)+0x43b) [0x22b396d]
    node-v8-60/out/Debug/node(v8::internal::LoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Name>)+0x2c9) [0x22b1b97]
    node-v8-60/out/Debug/node(v8::internal::KeyedLoadIC::Load(v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>)+0x1c4) [0x22b69a2]
    node-v8-60/out/Debug/node() [0x22bcff0]
    node-v8-60/out/Debug/node(v8::internal::Runtime_KeyedLoadIC_Miss(int, v8::internal::Object**, v8::internal::Isolate*)+0x109) [0x22bce38]
    [0x3d25b804564]
Received signal 4 ILL_ILLOPN 000002a5ea4f
[1]    23456 illegal hardware instruction (core dumped)  node-v8-60/out/Debug/node run.js

Maybe we should focus on this one first, if we want to update to 6.0 soon.

targos picture targos on 30 Jun 2017

This is also an issue with V8 5.9; I鈥檒l try to spend a bit of time looking into it today.

addaleax picture addaleax on 30 Jun 2017

git bisect says:

v8/v8@336d6e429cabbdf5f0f38637c9df1bf5c56acd55 is the first bad commit

/cc @verwaest

addaleax picture addaleax on 30 Jun 2017

@verwaest is OOO starting next week. /cc @isheludko

bmeurer picture bmeurer on 30 Jun 2017

Here is a simplified test case:

require('vm').runInNewContext(`

const wrapperSymbol = 'test'; //Symbol("wrapper");
function wrapperForImpl(impl) {
  return impl ? impl[wrapperSymbol] : null;
};

function test(o) {
  for (var i = 0; i < 1e6; i++) {
    wrapperForImpl(o);
  }
}

test(this);

`);
targos picture targos on 3 Jul 2017

Here's the fix: https://chromium.googlesource.com/v8/v8.git/+/6cb999b97b7953ebfd4aabf2e1f62bf405f21c69

isheludko picture isheludko on 6 Jul 2017
🎉3 👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ksushilmaurya picture ksushilmaurya  路  3Comments
filipesilvaa picture filipesilvaa  路  3Comments
sandeepks1 picture sandeepks1  路  3Comments
akdor1154 picture akdor1154  路  3Comments
cong88 picture cong88  路  3Comments