Issue 141021: emscripten demo crashes chrome tab
Status:  Fixed
Closed:  Sep 2012

Reported by, Aug 6, 2012
Chrome Version       : 21.0.1180.60
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:

What steps will reproduce the problem?
1. Launch url
2. Tab crashes.
3. If it doesn't crash refresh

The attached url crashes the tab for me 9 times out of 10.

UserAgentString: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.60 Safari/537.1

Aug 13, 2012
I can reproduce this on Ubuntu 12.04, Chrome 22.0.1229.2 dev. I usually need to refresh the page a few times.

I have also seen tab crashes in other emscripten-compiled projects recently, for example BananaBread (if I play the demo for a while, the tab tends to crash).

Aug 21, 2012
I can reproduce what seems like it could be the exact same problem on

Running the tab the first time is ok. But when I refresh it always crashes the tab.

Aug 27, 2012
Bullet demo reliably crashes on me on the Mac Canary (23.0.1245.0). Stack indicates V8 problem. HAdd seems to have a NULL pointer somewhere inside:

0x01359531	 [Google Chrome Framework]	 -]	v8::internal::LChunkBuilder::DoArithmeticT
0x0135e509	 [Google Chrome Framework]	 -]	v8::internal::LChunkBuilder::DoAdd
0x0118d6d7	 [Google Chrome Framework]	 -]	v8::internal::HAdd::CompileToLithium
0x013586f4	 [Google Chrome Framework]	 -]	v8::internal::LChunkBuilder::VisitInstruction
0x01358256	 [Google Chrome Framework]	 -]	v8::internal::LChunkBuilder::DoBasicBlock
0x0135808a	 [Google Chrome Framework]	 -]	v8::internal::LChunkBuilder::Build
0x012004de	 [Google Chrome Framework]	 -]	v8::internal::LChunk::NewChunk
0x0112705d	 [Google Chrome Framework]	 -]	v8::internal::OptimizingCompiler::OptimizeGraph
0x011298ab	 [Google Chrome Framework]	 -]	v8::internal::GenerateCode
0x01128549	 [Google Chrome Framework]	 -]	v8::internal::Compiler::CompileLazy
0x0123af14	 [Google Chrome Framework]	 -]	v8::internal::JSFunction::CompileOptimized
0x0129eed1	 [Google Chrome Framework]	 -]	v8::internal::Runtime_LazyRecompile

I have a feeling that most probably it is related to the stack check elimination. It builds HAdd with NULL context and representation coming from another addition (see BuildOffsetAdd and CoverCheck). In debug mode there is an assertion that checks that index is represented as Integer32 however HBoundsCheck does allow index to be tagged (see HBoundsCheck::RequiredInputRepresentation) so I am not sure how it holds. Debugging is required however to confirm this hypothesis.

Status: Assigned
Labels: -Area-Undefined Area-WebKit
Aug 27, 2012
No crash with --noarray_bounds_checks_elimination which seems to confirm my hypothesis. Probably it should be disabled on trunk.
Aug 27, 2012
With a debug build one gets the following on

# Fatal error in v8/src/, line 3530
# CHECK(new_check->index()->representation().IsInteger32()) failed

Labels: -OS-Windows
Aug 28, 2012
Sep 6, 2012
Any progress with this one? Massi, at the very least, we should disable ABC if you haven't already until this issue is fixed.
Sep 12, 2012
Fix committed in r12493.
Status: Fixed
Sep 12, 2012
(I meant committed in the V8 tree as r12493...)
Oct 13, 2012
Mar 10, 2013
Labels: -Area-WebKit Cr-Content
Apr 5, 2013
Labels: -Cr-Content Cr-Blink
