My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 141021: emscripten demo crashes chrome tab
6 people starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  mma...@chromium.org
Closed:  Sep 2012
Cc:  danno@chromium.org, vegorov@chromium.org, kbr@chromium.org

Restricted
  • Only users with Commit permission may comment.


Sign in to add a comment
 
Reported by step...@mindjunk.org, Aug 6, 2012
Chrome Version       : 21.0.1180.60
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) : http://syntensity.com/static/lua.html
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:

What steps will reproduce the problem?
1. Launch url
2. Tab crashes.
3. If it doesn't crash refresh

The attached url crashes the tab for me 9 times out of 10.

What is the expected result?


What happens instead?


Please provide any additional information below. Attach a screenshot if
possible.

UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.60 Safari/537.1


Aug 13, 2012
#1 alonza...@gmail.com
I can reproduce this on Ubuntu 12.04, Chrome 22.0.1229.2 dev. I usually need to refresh the page a few times.

I have also seen tab crashes in other emscripten-compiled projects recently, for example BananaBread (if I play the demo for a while, the tab tends to crash).

Aug 21, 2012
#2 alonza...@gmail.com
I can reproduce what seems like it could be the exact same problem on

http://kripken.github.com/misc-js-benchmarks/bullet/

Running the tab the first time is ok. But when I refresh it always crashes the tab.

Aug 27, 2012
#3 vegorov@chromium.org
Bullet demo reliably crashes on me on the Mac Canary (23.0.1245.0). Stack indicates V8 problem. HAdd seems to have a NULL pointer somewhere inside:

Thread 0 *CRASHED* ( EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE @ 0x00000000 )
0x01359531	 [Google Chrome Framework]	 - lithium-ia32.cc:565]	v8::internal::LChunkBuilder::DoArithmeticT
0x0135e509	 [Google Chrome Framework]	 - lithium-ia32.cc:1393]	v8::internal::LChunkBuilder::DoAdd
0x0118d6d7	 [Google Chrome Framework]	 - hydrogen-instructions.cc:52]	v8::internal::HAdd::CompileToLithium
0x013586f4	 [Google Chrome Framework]	 - lithium-ia32.cc:860]	v8::internal::LChunkBuilder::VisitInstruction
0x01358256	 [Google Chrome Framework]	 - lithium-ia32.cc:841]	v8::internal::LChunkBuilder::DoBasicBlock
0x0135808a	 [Google Chrome Framework]	 - lithium-ia32.cc:456]	v8::internal::LChunkBuilder::Build
0x012004de	 [Google Chrome Framework]	 - lithium.cc:406]	v8::internal::LChunk::NewChunk
0x0112705d	 [Google Chrome Framework]	 - compiler.cc:355]	v8::internal::OptimizingCompiler::OptimizeGraph
0x011298ab	 [Google Chrome Framework]	 - compiler.cc:208]	v8::internal::GenerateCode
0x01128549	 [Google Chrome Framework]	 - compiler.cc:398]	v8::internal::Compiler::CompileLazy
0x0123af14	 [Google Chrome Framework]	 - objects.cc:7355]	v8::internal::JSFunction::CompileOptimized
0x0129eed1	 [Google Chrome Framework]	 - runtime.cc:8281]	v8::internal::Runtime_LazyRecompile

I have a feeling that most probably it is related to the stack check elimination. It builds HAdd with NULL context and representation coming from another addition (see BuildOffsetAdd and CoverCheck). In debug mode there is an assertion that checks that index is represented as Integer32 however HBoundsCheck does allow index to be tagged (see HBoundsCheck::RequiredInputRepresentation) so I am not sure how it holds. Debugging is required however to confirm this hypothesis.

Status: Assigned
Owner: danno@chromium.org
Cc: mma...@chromium.org vegorov@chromium.org
Labels: -Area-Undefined Area-WebKit
Aug 27, 2012
#4 vegorov@chromium.org
No crash with --noarray_bounds_checks_elimination which seems to confirm my hypothesis. Probably it should be disabled on trunk.
Aug 27, 2012
#5 svenpanne@chromium.org
With a debug build one gets the following on http://kripken.github.com/misc-js-benchmarks/bullet/:

# Fatal error in v8/src/hydrogen.cc, line 3530
# CHECK(new_check->index()->representation().IsInteger32()) failed

Owner: mma...@chromium.org
Cc: -mma...@chromium.org danno@chromium.org
Labels: -OS-Windows
Aug 28, 2012
#6 kbr@chromium.org
(No comment was entered for this change.)
Cc: kbr@chromium.org
Sep 6, 2012
#7 danno@chromium.org
Any progress with this one? Massi, at the very least, we should disable ABC if you haven't already until this issue is fixed.
Sep 12, 2012
#8 mma...@chromium.org
Fix committed in r12493.
Status: Fixed
Sep 12, 2012
#9 mma...@chromium.org
(I meant committed in the V8 tree as r12493...)
Oct 13, 2012
#10 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 10, 2013
#11 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-WebKit Cr-Content
Apr 5, 2013
#12 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Cr-Content Cr-Blink
Sign in to add a comment

Powered by Google Project Hosting