segfault in node.js v0.6.15

[pccowboy]

There are details here: http://pastebin.com/McidkC0g and http://groups.google.com/group/nodejs/browse_thread/thread/d9eb8b66ce5cfc88

Here is the start of a gdb session with the error:

#
# Fatal error in /home/dswift/node-v0.6.15/deps/v8/src/api.cc, line 661
# CHECK(isolate_ == i::Isolate::Current()) failed
#


==== Stack trace ============================================

Security context: 0x33c6bb5d #0#
    2: Contextify [/usr/local/lib/node_modules/node.io/node_modules/jsdom/node_modules/contex
tify/lib/contextify.js:7] (this=0x33c6bbf5 #1#,sandbox=0x5609a191 >#2#)
    3: createWindow [/usr/local/lib/node_modules/node.io/node_modules/jsdom/lib/jsdom/browser
/index.js:303] (this=0x5601dec5 >#3#,dom=0x2c15da8d >#4#,options=0x5609
8515 >#5#)
    4: windowAugmentation [/usr/local/lib/node_modules/node.io/node_modules/jsdom/lib/jsdom/b
rowser/index.js:63] (this=0x5601dec5 >#3#,dom=0x2c15da8d >#4#,options=0
x56098515 >#5#)
    5: /* anonymous */ [/usr/local/lib/node_modules/node.io/node_modules/jsdom/lib/jsdom/brow
ser/index.js:605] (this=0x56000035 >#6#)
    9: /* anonymous */ [/usr/local/lib/node_modules/node.io/node_modules/jsdom/lib/jsdom.js:8
1] (this=0x56000035 >#6#)
   10: parseHtml [/usr/local/lib/node_modules/node.io/lib/node.io/dom.js:59] (this=0x358c2cf9
 #7#,data=0x2d402021 #8#,callback=0x358c2dd9 
#9#,response=0x358c2d81 >#10#)
   11: /* anonymous */ [/usr/local/lib/node_modules/node.io/lib/node.io/request.js:109] (this
=0x358c2cf9 #7#,err=0x3ff22021 ,data=0x2d402021 #8#,
headers=0x358c2e41 >#11#,response=0x358c2d81 >#10#)
   13: /* anonymous */ [/usr/local/lib/node_modules/node.io/lib/node.io/request.js:217] (this
=0x33c6bbf5 #1#)
   14: arguments adaptor frame: 4->0
   15: /* anonymous */ [/usr/local/lib/node_modules/node.io/lib/node.io/request.js:349] (this
=0x33c6bbf5 #1#,err=0x3ff22021 ,data=0x2d402021 #8#)
   16: _callback [/usr/local/lib/node_modules/node.io/lib/node.io/request.js:359] (this=0x358
c2f21 >#12#,err=0x3ff22021 ,response=0x358c2d81 >#10#,bo
dy=0x2d402021 #8#)
   18: callback [/usr/local/lib/node_modules/node.io/node_modules/request/main.js:119] (this=
0x358c2f21 >#12#)
   19: arguments adaptor frame: 3->0
   23: /* anonymous */ [native v8natives.js:1502] (this=0x358c2f21 >#12#)
   24: arguments adaptor frame: 2->0
   25: emit [events.js:70] (this=0x358c2f21 >#12#)
   26: arguments adaptor frame: 3->0
   27: /* anonymous */ [/usr/local/lib/node_modules/node.io/node_modules/request/main.js:521]
 (this=0x358c2f21 >#12#)
   28: arguments adaptor frame: 1->0
   29: emit [events.js:67] (this=0x358c2f21 >#12#)
   30: arguments adaptor frame: 2->0
   31: /* anonymous */ [/usr/local/lib/node_modules/node.io/node_modules/request/main.js:483]
 (this=0x358c2d81 >#10#,chunk=0x3ff22049 )
   32: arguments adaptor frame: 0->1
   34: emit [events.js:88] (this=0x358c2d81 >#10#)
   35: arguments adaptor frame: 1->0
   36: onMessageComplete [http.js:137] (this=0x358c30dd >#13#)
   40: onend [http.js:1192] (this=0x358c3115 >#14#)
   41: onread [net.js:389] (this=0x358c3155 >#15#,buffer=0x3ff22049 ,offset
=0x3ff22049 ,length=0x3ff22049 )
   42: arguments adaptor frame: 0->3

==== Details ================================================

[2]: Contextify [/usr/local/lib/node_modules/node.io/node_modules/jsdom/node_modules/contexti
fy/lib/contextify.js:7] (this=0x33c6bbf5 #1#,sandbox=0x5609a191 >#2#) {
  // heap-allocated locals
  var sandbox = 0x5609a191 >#2#
  var ctx = 0x3ff22049 
  // expression stack (top to bottom)
  [02] : 0x5609a191 >#2#
  [01] : 0x4b7ef1a5 #16#
  [00] : 0x4b7ef2d5 #17#
--------- s o u r c e   c o d e ---------
function Contextify(sandbox) {?    if (typeof sandbox != 'object') {?        sandbox = {};?  
  }?    var ctx = new ContextifyContext(sandbox);??    sandbox.run = function () {?        re
turn ctx.run.apply(ctx, arguments);?    };??    sandbox.getGlobal = function () {?        ret
urn ctx.getGlobal();?    }??    sandbox....

-----------------------------------------
}

Not sure can contribute a patch, but I am looking at it now. Thanks in advance.

[pccowboy]

Here is the backtrace, as well:

(gdb) backtrace
#0 0x00f01402 in _kernel_vsyscall ()
#1 0x00956df0 in raise () from /lib/libc.so.6
#2 0x00958701 in abort () from /lib/libc.so.6
#3 0x084c2cc5 in v8::internal::OS::Abort ()
at /home/dswift/node-v0.6.15/deps/v8/src/platform-linux.cc:415
#4 0x082eea16 in V8_Fatal (file=0x86b6dd4 "/home/dswift/node-v0.6.15/deps/v8/src/api.cc",
line=661, format=0x86b60a8 "CHECK(%s) failed")
at /home/dswift/node-v0.6.15/deps/v8/src/checks.cc:58
#5 0x082ab1fd in CheckHelper (
file=0x86b6dd4 "/home/dswift/node-v0.6.15/deps/v8/src/api.cc", line=661,
source=0x86b7c10 "isolate == i::Isolate::Current()", condition=false)
at /home/dswift/node-v0.6.15/deps/v8/src/checks.h:60
#6 0x082af602 in v8::HandleScope::Leave (this=0xbfffd3e4)
at /home/dswift/node-v0.6.15/deps/v8/src/api.cc:661
#7 0x082af6b5 in v8::HandleScope::~HandleScope (this=0xbfffd3e4,
__in_chrg=) at /home/dswift/node-v0.6.15/deps/v8/src/api.cc:655
#8 0x0013a00b in Wrap (args=...) at ../src/contextify.cc:69
#9 ContextifyContext::New (args=...) at ../src/contextify.cc:100
#10 0x082e9b48 in v8::internal::HandleApiCallHelper (args=..., isolate=0x87f3520)
at /home/dswift/node-v0.6.15/deps/v8/src/builtins.cc:1105
#11 0x082e9c75 in v8::internal::Builtin_Impl_HandleApiCallConstruct (args=...,
isolate=0x87f3520) at /home/dswift/node-v0.6.15/deps/v8/src/builtins.cc:1127
#12 0x082e9cb9 in v8::internal::Builtin_HandleApiCallConstruct (args=..., isolate=0x87f3520)
at /home/dswift/node-v0.6.15/deps/v8/src/builtins.cc:1126
#13 0x2c46c696 in ?? ()
#14 0x00000003 in ?? ()
#15 0x2c47eab7 in ?? ()
#16 0x4b7ef1a5 in ?? ()
#17 0x5609a191 in ?? ()
#18 0x5609bfb1 in ?? ()
#19 0x5609bfb1 in ?? ()
#20 0x00000002 in ?? ()
#21 0x0000000e in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

[pccowboy]

I'll be damned - I may have a patch. I'll send a pull request in a bit...

[brianmcd]

Is it possible that you've upgraded Node versions without recompiling the native addons like Contextify? I'm wondering if the fresh compilation is what's making your patch work. If that's not the case, could you post the script you're running that shows this crash?

[pccowboy]

When I first hit this error on node v.0.4.11, I had just installed node.io, so Contextify was freshly compiled in the .v.0.4.11 ecosystem.

After I upgraded to v0.6.15, the lack of compilation is certainly possible, I am not familiar enough with the node and npm make processes to know if they recompiled addons or not. Tthe new npm bundling process that packages requirements with the requiring packages has me unclear what contributes the compiled version of an addon.

The script is large, I will try and pare it down to a testcase today for the relevant URLs and send you that.

[pccowboy]

FWIW, I just undid my "patch", and recompiled and am re-running my script. So far it appears you are correct. How embarrassing.

[brianmcd]

No worries. Native addons with Node are anything but intuitive. Anytime you switch between major Node versions, you have to recompile the native addons. npm has a handy npm rebuild command that you can issue in a project folder, and it'll recursively rebuild all of the native modules in node_modules.

[pccowboy]

All that said, I think I have recreated it. At least, after butressing my code's error handling, I am getting the segfautls again. I'll post a testcase if I figure it out.

[pccowboy]

I have a question - after reading the jsdom source, I see they are sending a window using createWindow() to Contextify, and then getting the global for that object, and setting window.window to it. In this gist(https://gist.github.com/2551818) is a session where I execute those commands, and I see that what is returned by the getGlobal does not equal the Contextified object.

Can you take a look at my gist, and tell me if my assumption (getGlobal === contextified object) is correct?

The relation to this bug is that when Contextify is fed bad javascript, the resulting exceptions appear to be causing memory leaks in Contextify. Many of those exceptions are "navigator is not defined", and I have tracked it down to this code in jsdom.

[brianmcd]

Are you sure that the installation of JSDOM you're using with node.io has Contextify installed? Contextify is an optional dependency, and if it's not found, JSDOM tries to replicate the functionality with the vm module (which isn't quite right).

I tried a similar experiment and got the following:

var jsdom = require('jsdom');
var doc = jsdom.jsdom('<html><head></head><body></body></html>');
var window = doc.parentWindow;
console.log(window.window === window);
console.log(window.window.navigator);

With Contextify:

true
{ userAgent: 'Node.js (linux; U; rv:v0.7.6)',
  appName: 'Node.js jsDom',
  platform: 'linux',
  appVersion: 'v0.7.6' }

Without Contextify:

false

node.js:197
        throw e; // process.nextTick error, or 'error' event on first tick
              ^
TypeError: Cannot read property 'navigator' of undefined
    at Object.<anonymous> (/home/brianmcd/projects/jsdom-tmpvar/test3.js:5:26)
    at Module._compile (module.js:445:26)
    at Object..js (module.js:463:10)
    at Module.load (module.js:352:32)
    at Function._load (module.js:310:12)
    at Array.0 (module.js:483:10)
    at EventEmitter._tickCallback (node.js:188:41)

As soon as I finish school (2 weeks from Wednesday), I'm going to finish work on a patch to get the Contextify behavior into Node's vm module, and hopefully that'll clear up a lot of these issues.

[pccowboy]

Yup - I have been curing some of the issues related to the segfault in Contextify, so as I install different versions of jsdom under node.io, I have to copy my contextify.cc into place and rebuild.

[brianmcd]

I installed node.io and ran your gist verbatim.

>  u.puts(u.inspect(w.window.navigator))
{ userAgent: 'Node.js (linux; U; rv:v0.7.6)',
  appName: 'Node.js jsDom',
  platform: 'linux',
  appVersion: 'v0.7.6' }

> if (w === w.window) {u.puts('ok');} else {u.puts('not setting up global from contextify');}
not setting up global from contextify

The second part makes sense - window.window is the proxy global from the v8 context, while window is the sandbox object. getGlobal() returns the proxy object so you can set up self-references that behave correctly when executing code in the Contextify context. In context things work as expected:

> w.run('this === window')
true
> w.run('window.window === window')
true

The behavior you're seeing with the navigator really looks like you don't have Contextify installed. If I remove Contextify from JSDOM's node_modules, I get the exact behavior in your gist:

>  u.puts(u.inspect(w.navigator))
undefined

[pccowboy]

cusswords - npm rebuild was not working, so I was using node-waf. however, node-waf does not do the right thing for a module previously built with node-gyp. So, it appears I was not using the contextify.node that I thought I had been.

I removed it all, reinstalled, and installed node-gyp, and then the basic node.io test case I have appears to work with my changes so far. Thank you very much for your help, I apologize for any frustration I caused.

Now I am back to tracking down what on my end is causing jsdom or contextify to try and access a non-existent memory location, after running several scrapes in a row. I still get this note from valgrind:

==3204== Invalid read of size 4
==3204== at 0x81C093B: v8::Object::GetRealNamedProperty(v8::Handlev8::String) (in /usr/local/bin/node)
==3204== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==3204==
==3204==
==3204== Process terminating with default action of signal 11 (SIGSEGV)
==3204== Access not within mapped region at address 0x0

==3204== at 0x81C093B: v8::Object::GetRealNamedProperty(v8::Handlev8::String) (in /usr/local/bin/node)

[pccowboy]

I am pretty clear now this is a jsdom/node.io issue. Not sure if I have it worked around or not, but I think I should take it off your plate. the only thing I did with contextify is to leave the patch I made in place, based upon my reading at http://groups.google.com/group/nodejs/browse_thread/thread/19c5ac046526a67a.

Hope your schoolwork went well!