Segmentation fault on v8::internal::AllocationTracker::AllocationEvent

[orgads]

• Version: v10.16.0
• Platform: Linux voice-ai-connector 4.18.0-1024-azure docs: Change contributing documentation to io.js #25~18.04.1-Ubuntu SMP Fri Jun 28 23:27:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
• Subsystem: V8

When running a leaky load test, node crashes after a while with the following stack trace (package obtained from official nodesource repo):

* thread #1, name = 'node', stop reason = signal SIGSEGV
  * frame #0: 0x00000000010c663d node`v8::internal::AllocationTracker::AllocationEvent(unsigned long, int) + 141
    frame #1: 0x0000000000efc9a2 node`v8::internal::Heap::AllocateRaw(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) + 146
    frame #2: 0x0000000000f038b2 node`v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) + 34
    frame #3: 0x0000000000ecbbb5 node`v8::internal::Factory::AllocateRawWithImmortalMap(int, v8::internal::PretenureFlag, v8::internal::Map*, v8::internal::AllocationAlignment) (.constprop.141) + 37
    frame #4: 0x0000000000ed0874 node`v8::internal::Factory::NewByteArray(int, v8::internal::PretenureFlag) + 52
    frame #5: 0x0000000000e5acfe node`v8::internal::TranslatedState::AllocateStorageFor(v8::internal::TranslatedValue*) + 30
    frame #6: 0x0000000000e5afd3 node`v8::internal::TranslatedState::EnsureJSObjectAllocated(v8::internal::TranslatedValue*, v8::internal::Handle<v8::internal::Map>) + 67
    frame #7: 0x0000000000e66c0a node`v8::internal::TranslatedState::EnsureCapturedObjectAllocatedAt(int, std::stack<int, std::deque<int, std::allocator<int> > >*) + 746
    frame #8: 0x0000000000e65bca node`v8::internal::TranslatedState::EnsureObjectAllocatedAt(v8::internal::TranslatedValue*) + 570
    frame #9: 0x0000000000e65cd4 node`v8::internal::TranslatedValue::GetValue() + 100
    frame #10: 0x0000000000e65d79 node`v8::internal::Deoptimizer::MaterializeHeapObjects() + 105
    frame #11: 0x0000000001145915 node`v8::internal::Runtime_NotifyDeoptimized(int, v8::internal::Object**, v8::internal::Isolate*) + 181
    frame #12: 0x000022cf1fa5be1d
    frame #13: 0x000022cf1fa12883
    frame #14: 0x000022cf1fa11da0
    frame #15: 0x000022cf1fa0a5c3
    frame #16: 0x000022cf1fa12a60
    frame #17: 0x000022cf1fa11da0
    frame #18: 0x000022cf1fa118d5
    frame #19: 0x000022cf1fa118d5
    frame #20: 0x000022cf1fa118d5
    frame #21: 0x000022cf1fadb05a
    frame #22: 0x000022cf1fa70f3f
    frame #23: 0x000022cf1fa0a5c3
    frame #24: 0x000022cf1fa118d5
    frame #25: 0x000022cf1fa118d5
    frame #26: 0x000022cf1fa118d5
    frame #27: 0x000022cf1fa0ee75
    frame #28: 0x000022cf1fa092c1
    frame #29: 0x0000000000e9eb33 node`v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) + 259
    frame #30: 0x0000000000b25a99 node`v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) + 377
    frame #31: 0x0000000000b25c51 node`v8::Function::Call(v8::Local<v8::Value>, int, v8::Local<v8::Value>*) + 65
    frame #32: 0x00000000008c8d79 node`node::InternalCallbackScope::Close() + 521
    frame #33: 0x00000000008fb437 node`node::InternalMakeCallback(node::Environment*, v8::Local<v8::Object>, v8::Local<v8::Function>, int, v8::Local<v8::Value>*, node::async_context) + 359
    frame #34: 0x00000000008c3419 node`node::AsyncWrap::MakeCallback(v8::Local<v8::Function>, int, v8::Local<v8::Value>*) + 137
    frame #35: 0x00000000009c8824 node`node::StreamBase::CallJSOnreadMethod(long, v8::Local<v8::Object>) + 212
    frame #36: 0x00000000009c88f3 node`node::EmitToJSStreamListener::OnStreamRead(long, uv_buf_t const&) + 147
    frame #37: 0x0000000000a2b03f node`node::TLSWrap::ClearOut() + 207
    frame #38: 0x0000000000a2b718 node`node::TLSWrap::OnStreamRead(long, uv_buf_t const&) + 168
    frame #39: 0x00000000009cebe1 node`node::LibuvStreamWrap::ReadStart()::'lambda0'(uv_stream_s*, long, uv_buf_t const*)::_FUN(uv_stream_s*, long, uv_buf_t const*) + 161
    frame #40: 0x0000000000a7a769 node`uv__read(stream=0x0000000003ff6d98) at stream.c:1234
    frame #41: 0x0000000000a7ad90 node`uv__stream_io(loop=<unavailable>, w=0x0000000003ff6e20, events=1) at stream.c:1301
    frame #42: 0x0000000000a80738 node`uv__io_poll(loop=0x000000000264f860, timeout=0) at linux-core.c:379
    frame #43: 0x0000000000a6f7cb node`uv_run(loop=0x000000000264f860, mode=UV_RUN_DEFAULT) at core.c:364
    frame #44: 0x0000000000904525 node`node::Start(v8::Isolate*, node::IsolateData*, std::vector<std::string, std::allocator<std::string> > const&, std::vector<std::string, std::allocator<std::string> > const&) + 1381
    frame #45: 0x000000000090272c node`node::Start(int, char**) + 1180
    frame #46: 0x00007f8f25874b97 libc.so.6`__libc_start_main + 231
    frame #47: 0x00000000008bbc65 node`_start + 41

I have a coredump (~340M). Let me know if it can help.

[orgads]

Reproduced also with Node v12.7.0.

[bnoordhuis]

Can you post the output of dissasemble and info registers? Thanks.

edit: and info proc mappings!

[orgads]

(gdb) disassemble
Dump of assembler code for function _ZN2v88internal17AllocationTracker15AllocationEventEmi:
   0x00000000010c65b0 <+0>:     push   %rbp
   0x00000000010c65b1 <+1>:     mov    $0x1,%r8d
   0x00000000010c65b7 <+7>:     mov    $0x1,%ecx
   0x00000000010c65bc <+12>:    mov    %rsp,%rbp
   0x00000000010c65bf <+15>:    push   %r15
   0x00000000010c65c1 <+17>:    push   %r14
   0x00000000010c65c3 <+19>:    push   %r13
   0x00000000010c65c5 <+21>:    push   %r12
   0x00000000010c65c7 <+23>:    mov    %rdi,%r12
   0x00000000010c65ca <+26>:    push   %rbx
   0x00000000010c65cb <+27>:    sub    $0x568,%rsp
   0x00000000010c65d2 <+34>:    mov    (%rdi),%rax
   0x00000000010c65d5 <+37>:    mov    %rsi,-0x580(%rbp)
   0x00000000010c65dc <+44>:    mov    %edx,-0x584(%rbp)
   0x00000000010c65e2 <+50>:    mov    0x50(%rax),%r15
   0x00000000010c65e6 <+54>:    mov    %r15,%rdi
   0x00000000010c65e9 <+57>:    sub    $0x20,%r15
   0x00000000010c65ed <+61>:    callq  0xeef450 <_ZN2v88internal4Heap20CreateFillerObjectAtEmiNS0_18ClearRecordedSlotsENS0_20ClearFreedMemoryModeE>
   0x00000000010c65f2 <+66>:    lea    -0x550(%rbp),%rdi
   0x00000000010c65f9 <+73>:    mov    %r15,%rsi
   0x00000000010c65fc <+76>:    callq  0xeb5df0 <_ZN2v88internal18StackFrameIteratorC2EPNS0_7IsolateE>
   0x00000000010c6601 <+81>:    cmpq   $0x0,-0x48(%rbp)
   0x00000000010c6606 <+86>:    je     0x10c68e6 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+822>
   0x00000000010c660c <+92>:    lea    -0x550(%rbp),%rdi
   0x00000000010c6613 <+99>:    mov    $0x1,%ebx
   0x00000000010c6618 <+104>:   callq  0xeb7450 <_ZN2v88internal23JavaScriptFrameIterator7AdvanceEv>
   0x00000000010c661d <+109>:   mov    -0x48(%rbp),%rdi
   0x00000000010c6621 <+113>:   test   %rdi,%rdi
   0x00000000010c6624 <+116>:   je     0x10c68e6 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+822>
   0x00000000010c662a <+122>:   nopw   0x0(%rax,%rax,1)
   0x00000000010c6630 <+128>:   mov    (%rdi),%rax
   0x00000000010c6633 <+131>:   callq  *0x98(%rax)
   0x00000000010c6639 <+137>:   mov    0x17(%rax),%r13
=> 0x00000000010c663d <+141>:   mov    -0x1(%r13),%rax
   0x00000000010c6641 <+145>:   lea    -0x1(%r13),%rsi
   0x00000000010c6645 <+149>:   movzbl 0x7(%rax),%edx
   0x00000000010c6649 <+153>:   shl    $0x3,%edx
   0x00000000010c664c <+156>:   test   %edx,%edx
   0x00000000010c664e <+158>:   jne    0x10c6730 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+384>
   0x00000000010c6654 <+164>:   movzwl 0xb(%rax),%eax
   0x00000000010c6658 <+168>:   lea    -0xb7(%rax),%edx
   0x00000000010c665e <+174>:   cmp    $0xd,%dx
   0x00000000010c6662 <+178>:   jbe    0x10c6910 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+864>
   0x00000000010c6668 <+184>:   mov    %eax,%edx
   0x00000000010c666a <+186>:   and    $0xffffffbf,%edx
   0x00000000010c666d <+189>:   cmp    $0x8,%dx
   0x00000000010c6671 <+193>:   je     0x10c6928 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+888>
   0x00000000010c6677 <+199>:   cmp    $0x88,%ax
   0x00000000010c667b <+203>:   je     0x10c6968 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+952>
   0x00000000010c6681 <+209>:   cmp    $0x89,%ax
   0x00000000010c6685 <+213>:   je     0x10c6980 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+976>
   0x00000000010c668b <+219>:   cmp    $0x8a,%ax
   0x00000000010c668f <+223>:   je     0x10c69c8 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1048>
   0x00000000010c6695 <+229>:   test   %dx,%dx
   0x00000000010c6698 <+232>:   je     0x10c6950 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+928>
   0x00000000010c669e <+238>:   cmp    $0x96,%ax
   0x00000000010c66a2 <+242>:   je     0x10c6910 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+864>
   0x00000000010c66a8 <+248>:   cmp    $0x97,%ax
   0x00000000010c66ac <+252>:   je     0x10c69d8 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1064>
   0x00000000010c66b2 <+258>:   lea    -0xc5(%rax),%edx
   0x00000000010c66b8 <+264>:   cmp    $0x1,%dx
   0x00000000010c66bc <+268>:   jbe    0x10c6910 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+864>
   0x00000000010c66c2 <+274>:   cmp    $0xd4,%ax
   0x00000000010c66c6 <+278>:   je     0x10c6a72 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1218>
   0x00000000010c66cc <+284>:   lea    -0x8b(%rax),%edx
   0x00000000010c66d2 <+290>:   cmp    $0xa,%dx
   0x00000000010c66d6 <+294>:   jbe    0x10c6998 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1000>
   0x00000000010c66dc <+300>:   cmp    $0xd1,%ax
   0x00000000010c66e0 <+304>:   je     0x10c6a10 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1120>
   0x00000000010c66e6 <+310>:   cmp    $0xcd,%ax
   0x00000000010c66ea <+314>:   je     0x10c6ac9 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1305>
   0x00000000010c66f0 <+320>:   cmp    $0xd0,%ax
   0x00000000010c66f4 <+324>:   je     0x10c6a58 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1192>
   0x00000000010c66fa <+330>:   cmp    $0xcb,%ax
   0x00000000010c66fe <+334>:   je     0x10c6a86 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1238>
   0x00000000010c6704 <+340>:   cmp    $0x82,%ax
   0x00000000010c6708 <+344>:   je     0x10c6a96 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1254>
   0x00000000010c670e <+350>:   testb  $0x1,0x2b(%r13)
   0x00000000010c6713 <+355>:   jne    0x10c6a30 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+1152>
   0x00000000010c6719 <+361>:   mov    0x27(%r13),%edx
   0x00000000010c671d <+365>:   add    $0x7,%edx
   0x00000000010c6720 <+368>:   and    $0xfffffff8,%edx
   0x00000000010c6723 <+371>:   add    $0x5f,%edx
   0x00000000010c6726 <+374>:   and    $0xffffffe0,%edx
   0x00000000010c6729 <+377>:   nopl   0x0(%rax)
   0x00000000010c6730 <+384>:   mov    (%r12),%rdi
   0x00000000010c6734 <+388>:   xor    %ecx,%ecx
   0x00000000010c6736 <+390>:   movslq %ebx,%r15
   0x00000000010c6739 <+393>:   callq  0x10d5bb0 <_ZN2v88internal14HeapObjectsMap14FindOrAddEntryEmjb>
   0x00000000010c673e <+398>:   mov    %r13,%rsi
   0x00000000010c6741 <+401>:   mov    %eax,%edx
   0x00000000010c6743 <+403>:   mov    %r12,%rdi
   0x00000000010c6746 <+406>:   callq  0x10c6220 <_ZN2v88internal17AllocationTracker15AddFunctionInfoEPNS0_18SharedFunctionInfoEj>
   0x00000000010c674b <+411>:   lea    -0x550(%rbp),%rdi
   0x00000000010c6752 <+418>:   mov    %eax,0x44(%r12,%rbx,4)
   0x00000000010c6757 <+423>:   add    $0x1,%rbx
   0x00000000010c675b <+427>:   callq  0xeb7450 <_ZN2v88internal23JavaScriptFrameIterator7AdvanceEv>
   0x00000000010c6760 <+432>:   mov    -0x48(%rbp),%rdi
   0x00000000010c6764 <+436>:   test   %rdi,%rdi
   0x00000000010c6767 <+439>:   je     0x10c6773 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+451>
   0x00000000010c6769 <+441>:   cmp    $0x40,%r15d
   0x00000000010c676d <+445>:   jne    0x10c6630 <_ZN2v88internal17AllocationTracker15AllocationEventEmi+128>
   0x00000000010c6773 <+451>:   lea    -0x4(,%r15,4),%rax
   0x00000000010c677b <+459>:   lea    -0x570(%rbp),%r13
   0x00000000010c6782 <+466>:   lea    0x48(%r12,%rax,1),%rbx
   0x00000000010c6787 <+471>:   lea    0x44(%r12),%rax
   0x00000000010c678c <+476>:   lea    0x18(%r12),%r14
   0x00000000010c6791 <+481>:   cmp    %rbx,%rax
   0x00000000010c6794 <+484>:   mov    %rax,-0x578(%rbp)
...

(gdb) info registers
rax            0x39adfba82fc9      63419414228937
rbx            0x1                 1
rcx            0x7ffd2ad50678      140725322057336
rdx            0x46410             287760
rsi            0x22cf1fa11621      38272984225313
rdi            0x7ffd2ad4fa68      140725322054248
rbp            0x7ffd2ad4fd70      0x7ffd2ad4fd70
rsp            0x7ffd2ad4f7e0      0x7ffd2ad4f7e0
r8             0x407               1031
r9             0x22cf1fa00000      38272984154112
r10            0xb1ef3e0           186577888
r11            0xbeeddead          3203260077
r12            0x4238790           69437328
r13            0xfffffffc00000000  -17179869184
r14            0x48747d2bd30       4979072089392
r15            0x3d2e940           64153920
rip            0x10c663d           0x10c663d <v8::internal::AllocationTracker::AllocationEvent(unsigned long, int)+141>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

(gdb) info proc mappings
Mapped address spaces:

          Start Addr           End Addr       Size     Offset objfile
            0x400000          0x2440000  0x2040000        0x0 /usr/bin/node
           0x263f000          0x2641000     0x2000  0x203f000 /usr/bin/node
           0x2641000          0x264e000     0xd000  0x2041000 /usr/bin/node
      0x7f8f1e1ee000     0x7f8f1e1f2000     0x4000        0x0 /home/user/Project/common/node_modules/syslogh/build/Release/index.node
      0x7f8f1e1f2000     0x7f8f1e3f1000   0x1ff000     0x4000 /home/user/Project/common/node_modules/syslogh/build/Release/index.node
      0x7f8f1e3f1000     0x7f8f1e3f2000     0x1000     0x3000 /home/user/Project/common/node_modules/syslogh/build/Release/index.node
      0x7f8f1e3f2000     0x7f8f1e3f3000     0x1000     0x4000 /home/user/Project/common/node_modules/syslogh/build/Release/index.node
      0x7f8f1e3f3000     0x7f8f1e3f7000     0x4000        0x0 /home/user/Project/session-manager/node_modules/websocket/build/Release/validation.node
      0x7f8f1e3f7000     0x7f8f1e5f6000   0x1ff000     0x4000 /home/user/Project/session-manager/node_modules/websocket/build/Release/validation.node
      0x7f8f1e5f6000     0x7f8f1e5f7000     0x1000     0x3000 /home/user/Project/session-manager/node_modules/websocket/build/Release/validation.node
      0x7f8f1e5f7000     0x7f8f1e5f8000     0x1000     0x4000 /home/user/Project/session-manager/node_modules/websocket/build/Release/validation.node
      0x7f8f1e5f8000     0x7f8f1e5fc000     0x4000        0x0 /home/user/Project/session-manager/node_modules/websocket/build/Release/bufferutil.node
      0x7f8f1e5fc000     0x7f8f1e7fb000   0x1ff000     0x4000 /home/user/Project/session-manager/node_modules/websocket/build/Release/bufferutil.node
      0x7f8f1e7fb000     0x7f8f1e7fc000     0x1000     0x3000 /home/user/Project/session-manager/node_modules/websocket/build/Release/bufferutil.node
      0x7f8f1e7fc000     0x7f8f1e7fd000     0x1000     0x4000 /home/user/Project/session-manager/node_modules/websocket/build/Release/bufferutil.node
      0x7f8f25853000     0x7f8f25a3a000   0x1e7000        0x0 /lib/x86_64-linux-gnu/libc-2.27.so
      0x7f8f25a3a000     0x7f8f25c3a000   0x200000   0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so
      0x7f8f25c3a000     0x7f8f25c3e000     0x4000   0x1e7000 /lib/x86_64-linux-gnu/libc-2.27.so
      0x7f8f25c3e000     0x7f8f25c40000     0x2000   0x1eb000 /lib/x86_64-linux-gnu/libc-2.27.so
      0x7f8f25c44000     0x7f8f25c5e000    0x1a000        0x0 /lib/x86_64-linux-gnu/libpthread-2.27.so
      0x7f8f25c5e000     0x7f8f25e5d000   0x1ff000    0x1a000 /lib/x86_64-linux-gnu/libpthread-2.27.so
      0x7f8f25e5d000     0x7f8f25e5e000     0x1000    0x19000 /lib/x86_64-linux-gnu/libpthread-2.27.so
      0x7f8f25e5e000     0x7f8f25e5f000     0x1000    0x1a000 /lib/x86_64-linux-gnu/libpthread-2.27.so
      0x7f8f25e63000     0x7f8f25e7a000    0x17000        0x0 /lib/x86_64-linux-gnu/libgcc_s.so.1
      0x7f8f25e7a000     0x7f8f26079000   0x1ff000    0x17000 /lib/x86_64-linux-gnu/libgcc_s.so.1
      0x7f8f26079000     0x7f8f2607a000     0x1000    0x16000 /lib/x86_64-linux-gnu/libgcc_s.so.1
      0x7f8f2607a000     0x7f8f2607b000     0x1000    0x17000 /lib/x86_64-linux-gnu/libgcc_s.so.1
      0x7f8f2607b000     0x7f8f26218000   0x19d000        0x0 /lib/x86_64-linux-gnu/libm-2.27.so
      0x7f8f26218000     0x7f8f26417000   0x1ff000   0x19d000 /lib/x86_64-linux-gnu/libm-2.27.so
      0x7f8f26417000     0x7f8f26418000     0x1000   0x19c000 /lib/x86_64-linux-gnu/libm-2.27.so
      0x7f8f26418000     0x7f8f26419000     0x1000   0x19d000 /lib/x86_64-linux-gnu/libm-2.27.so
      0x7f8f26419000     0x7f8f26592000   0x179000        0x0 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
      0x7f8f26592000     0x7f8f26792000   0x200000   0x179000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
      0x7f8f26792000     0x7f8f2679c000     0xa000   0x179000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
      0x7f8f2679c000     0x7f8f2679e000     0x2000   0x183000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
      0x7f8f267a2000     0x7f8f267a9000     0x7000        0x0 /lib/x86_64-linux-gnu/librt-2.27.so
      0x7f8f267a9000     0x7f8f269a8000   0x1ff000     0x7000 /lib/x86_64-linux-gnu/librt-2.27.so
      0x7f8f269a8000     0x7f8f269a9000     0x1000     0x6000 /lib/x86_64-linux-gnu/librt-2.27.so
      0x7f8f269a9000     0x7f8f269aa000     0x1000     0x7000 /lib/x86_64-linux-gnu/librt-2.27.so
      0x7f8f269aa000     0x7f8f269ad000     0x3000        0x0 /lib/x86_64-linux-gnu/libdl-2.27.so
      0x7f8f269ad000     0x7f8f26bac000   0x1ff000     0x3000 /lib/x86_64-linux-gnu/libdl-2.27.so
      0x7f8f26bac000     0x7f8f26bad000     0x1000     0x2000 /lib/x86_64-linux-gnu/libdl-2.27.so
      0x7f8f26bad000     0x7f8f26bae000     0x1000     0x3000 /lib/x86_64-linux-gnu/libdl-2.27.so
      0x7f8f26bae000     0x7f8f26bd5000    0x27000        0x0 /lib/x86_64-linux-gnu/ld-2.27.so
      0x7f8f26dd5000     0x7f8f26dd6000     0x1000    0x27000 /lib/x86_64-linux-gnu/ld-2.27.so

[bnoordhuis]

It looks like it's trying to untag a pointer (mov -0x1(%r13),%rax or rax = mem[r13 - 1]) that isn't a tagged pointer to start with (0xfffffffc00000000 - LSB is clear.)

Is there an easy way for me to reproduce? Are you using native add-ons / modules?

[bnoordhuis]

I'm going to close this for lack of follow-up. Let me know if you still want to pursue it.

[orgads]

Oops, sorry.

I already tracked down the leak, so this became less urgent.

It looks like the Node crash resulted from allocation failure due to memory exhaustion.

With the debian package of Node I receive a nice message on this case, and it crashes gracefully, but with the package from nodesource it just crashes immediately. With a simple example I was able to cause the nodesource package to crash gracefully as well. I still didn't try to find a minimal example for my case.

Do you still want me to report back, or since it would crash anyway then that's not a priority?

[*] Simple OOM crasher:

const arr = [];

for (let i = 0; i <= 1000; i++)
    arr.push((new Array(1000000)).fill('test'));

[*] Graceful crash:

<--- Last few GCs --->
rt of marking 557 ms) (average mu = 0.256, current mu = 0.051) allocation [27909:0x447e8d0]     4843 ms: Mark-sweep 1392.1 (1398.3) -> 1392.1 (1398.3) MB, 320.2 / 0.0 ms  (+ 0.0 ms in 1 steps since start of marking, biggest step 0.0 ms, walltime since start of marking 327 ms) (average mu = 0.185, current mu = 0.021) allocation [27909:0x447e8d0]     5413 ms: Mark-sweep 1392.1 (1398.3) -> 1392.1 (1398.3) MB, 569.9 / 0.0 ms  (average mu = 0.090, current mu = 0.000) allocation failure GC in old space requested


<--- JS stacktrace --->

==== JS stack trace =========================================

    0: ExitFrame [pc: 0x348a986dbe1d]
    1: StubFrame [pc: 0x348a9870a091]
Security context: 0x05673c89e6e9 <JSObject>
    2: /* anonymous */ [0x1d91532edfa1] [/home/orgads/test.js:4] [bytecode=0x16c77bcd3299 offset=39](this=0x1d91532ed829 <Object map = 0x3bca7bb82571>,exports=0x1d91532ed829 <Object map = 0x3bca7bb82571>,require=0x1d91532ee049 <JSFunction require (sfi = 0x16c77bcc45f1)>,module=0x1d91532ed7a1 <Module map = 0x3bca7bbd4b61>...

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
 1: 0x8f9d10 node::Abort() [node]
 2: 0x8f9d5c  [node]
 3: 0xaffd0e v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [node]
 4: 0xafff44 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [node]
 5: 0xef4152  [node]
 6: 0xef4258 v8::internal::Heap::CheckIneffectiveMarkCompact(unsigned long, double) [node]
 7: 0xf00332 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) [node]
 8: 0xf00c64 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [node]
 9: 0xf0215a v8::internal::Heap::CollectAllAvailableGarbage(v8::internal::GarbageCollectionReason) [node]
10: 0xf0393e v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [node]
11: 0xecc9c6 v8::internal::Factory::AllocateRawArray(int, v8::internal::PretenureFlag) [node]
12: 0xecd24a v8::internal::Factory::NewFixedArrayWithFiller(v8::internal::Heap::RootListIndex, int, v8::internal::Object*, v8::internal::PretenureFlag) [node]
13: 0xecd807 v8::internal::Factory::NewUninitializedFixedArray(int, v8::internal::PretenureFlag) [node]
14: 0xe8ef80  [node]
15: 0xe922f2  [node]
16: 0xe92652  [node]
17: 0xe92b02 v8::internal::ArrayConstructInitializeElements(v8::internal::Handle<v8::internal::JSArray>, v8::internal::Arguments*) [node]
18: 0x1126def v8::internal::Runtime_NewArray(int, v8::internal::Object**, v8::internal::Isolate*) [node]
19: 0x348a986dbe1d 
Aborted (core dumped)

[addaleax]

@orgads If it only segfaults with NodeSource’s version, I’d report this bug to them.