When Node addon creates a new isolate, use it to execute JS code and let it triggers GC, it will crash

[fs-eire]

• Version: v8.5.0 or higher
• Platform: Darwin/Linux/Windows (x64)
• Subsystem:

1. Create a simple Node addon.
2. In the Init(), create a thread and create a new isolate in that thread.
3. In the Method(), notify the thread to execute some javascript code.
4. When the javascript code triggers GC, the process will crash.

• Crash error on Ubuntu 16.04.2

  #
  # Fatal error in ../deps/v8/src/heap/heap-inl.h, line 228
  # Debug check failed: gc_state_ == NOT_IN_GC.
  #

  #
  # Fatal error in ../deps/v8/src/heap/heap.cc, line 452
  # Debug check failed: !AllowHeapAllocation::IsAllowed() && gc_state_ == NOT_IN_GC.
  #

• Crash error on macOS Sierra 10.12.6

  node(27735,0x7fffad7f03c0) malloc: *** error for object 0x10231a980: pointer being freed was not allocated
  *** set a breakpoint in malloc_error_break to debug
  node(27735,0x7000075f6000) malloc: *** error for object 0x10231a778: incorrect checksum for freed object - object was probably modified after being freed.
  *** set a breakpoint in malloc_error_break to debug

• Crash without error outputted to console (Windows7)

Please refer to https://github.com/fs-eire/node-modules-playground/tree/test-node-crash for the code.

Other findings:

1. If we block the Node main thread, ( put a while-true in the end of the javascript code) the crash will not happen.
2. The crash always happens when a Full GC is in operation.

We released Napa.js as a Node module sharing the same v8 platform, and created isolates & manipulated them the same way as the sample addon.

A workaround we could think of is to link with a separate v8 shared library if sharing the same platform is not desired. Actually we started by doing that, but afterwards changed to dynamic linking to V8 from Node for easier build and distribution.

Please kindly suggest if this is a bug in Node, or a behavior by design.

[addaleax]

Hey! Sounds like you might be interested in something like ayojs/ayo@2f47b5b, which I did for a multi-threading Workers implementation? Let me know if that gets you anywhere.

[Fishrock123]

Please kindly suggest if this is a bug in Node, or a behavior by design.

Neither really. What you are doing is simply not supported at the current time. Please keep in mind that native modules can do virtually anything (as any other C or C++ code) with no guarantee that you won't explode Node.

Until recent times there was never a need to support multiple isolates, so that work was never done or completed.

[fs-eire]

@Fishrock123 I understand that multiple isolates are not explicitly supported by Node. However, this issue only happens on Node 8.5.0 or later. When using Node 6.x, 7.x or 8.0~8.4.0, it works as expected without crash.

Maybe it is a regression in 8.5.0 release?

[bnoordhuis]

@fs-eire Can you run git bisect to find a specific commit?

[fs-eire]

commit found: 9e08695 @addaleax @matthewloring

This change introduces a new implementation of v8::Platform. It looks related to this issue.

[addaleax]

@fs-eire Oh, I’m sorry, I didn’t know you were looking for the cause of this.

Yes, this happens because Node has its own v8::Platform implementation now, which doesn’t care about multiple isolates. I’ve linked a patch above that I think should take care of most things.

I’ve opened #16700 with the patch(es) I mentioned above, please feel free to check that out and see whether it helps resolve the issues you were seeing.

[fs-eire]

@addaleax I've tested the change. I encountered the following error when calling script->Run():

/Users/eire/nodejs/out/Release/node[78814]: ../src/node_platform.cc:203:node::PerIsolatePlatformData node::NodePlatform::ForIsolate(v8::Isolate ): Assertion `(data) != (nullptr)' failed.
1: node::Abort() [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
2: node::(anonymous namespace)::DomainEnter(node::Environment, v8::Localv8::Object) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
3: node::NodePlatform::ForIsolate(v8::Isolate) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
4: node::NodePlatform::CallOnForegroundThread(v8::Isolate*, v8::Task*) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
5: v8::internal::IncrementalMarking::Start(v8::internal::GarbageCollectionReason) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
6: v8::internal::LargeObjectSpace::AllocateRaw(int, v8::internal::Executability) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
7: v8::internal::Heap::AllocateRaw(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
8: v8::internal::Heap::AllocateUninitializedFixedDoubleArray(int, v8::internal::PretenureFlag) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
9: v8::internal::Factory::NewFixedDoubleArray(int, v8::internal::PretenureFlag) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
10: v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedDoubleElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)4> >::GrowCapacity(v8::internal::Handlev8::internal::JSObject, unsigned int) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
11: v8::internal::Runtime_GrowArrayElements(int, v8::internal::Object**, v8::internal::Isolate*) [/Users/eire/test-1/node-modules-playground/../../nodejs/out/Release/node]
12: 0x2d73b7c042fd
Abort trap: 6

[YafimK]

We have a similar issue during development of a module which uses multiple isolates.
We were trying to trace this issue back to v8 and exchanged some emails with the GC team but without any solution.
we were able to workaround this issue by using "--noincremental-marking" and tested it with recent node versions (v9.0.0, v9.1.0).
@BorisKozo

[addaleax]

@fs-eire Sorry, missed your message. Which overload of CreateIsolateData are you using? Can you share any code? Edit: Sorry, missed the link to your repo in the OP :)

@YafimK Can you share any code that would help reproduce the issue?

[YafimK]

I've used the example provided above (by @fs-eire ) and I got the following:

Using a debug compilation of the node master branch that includes your fixes (on windows)

1. got the following error:
   
2. using the flag "--noincremental-marking" it seems to work.

Using a debug compilation of node v9.1 -(on windows)

1. I've got another issue -
   

2. again the flag "--noincremental-marking" seems to make it disappear.

[addaleax]

Right, there is no way to associate an Isolate without grabbing hold of the platform explicitly, so the platform can’t be informed about a new Isolate being created and that’s what’s causing the trouble here.

I’ll think about how to best work around that… it would probably be easiest to expose the default NodePlatform* instance to the public here, if there is one.