Crash at node::AsyncWrap::QueueDestroyAsyncId(const v8::FunctionCallbackInfo<v8::Value>&)

nodejs / node

Node.js JavaScript runtime ✨🐢🚀✨

https://nodejs.org

Other

106.64k stars 29.07k forks source link

Crash at node::AsyncWrap::QueueDestroyAsyncId(const v8::FunctionCallbackInfo<v8::Value>&) #34794

Open po6ix opened 4 years ago

po6ix commented 4 years ago

Version: v14.7.0
Platform: ubuntu 19.04

What steps will reproduce the bug?

I cannot sure, but for me, It needs repl environment for reproduce. It's unstable, because of related function called by garbage collector.

KakaoTalk_20200816_145432145

How often does it reproduce? Is there a required condition?

nothing

What is the expected behavior?

no error

What do you see instead?

crash

core.zip

bnoordhuis commented 4 years ago

I've changed the version in your bug report from v14.6.0 to v14.7.0. That's what's in the screenshot and the line number in the assertion also doesn't make sense otherwise.

Can you try with v14.8.0? I think there's a fairly good chance 18ca52d78efcf146df693da56f3005c7d180cac7 fixed this.

po6ix commented 4 years ago

v14.8.0 shows same

bnoordhuis commented 4 years ago

cc @addaleax - I think this is your call?

addaleax commented 4 years ago

Here’s the relevant JS stack trace for where the prototype property is being accessed:

    at Array.get (REPL15:3:28)
    at FixedCircularBuffer.shift (internal/fixed_queue.js:81:31)
    at FixedQueue.shift (internal/fixed_queue.js:110:23)
    at processTicksAndRejections (internal/process/task_queues.js:68:25)

i.e. this line returns an “entry” when it shouldn’t:

https://github.com/nodejs/node/blob/f5c0e282ccf98e17f295c11850649ad19a6fff51/lib/internal/fixed_queue.js#L81

I’m sure there are many more places like this in the Node.js codebase, and I think this is a great example of why I don’t think we should use the hard-crash typechecking we do in C++.

iradcn commented 9 months ago

this happens to me quite often on node v18.19.0 on ubuntu 22.04.3 (on github actions):

Error: Failed to deploy: /usr/local/bin/node[2186]: 
    ../src/async_wrap.cc:321:static void 
    node::AsyncWrap::QueueDestroyAsyncId(const 
    v8::FunctionCallbackInfo<v8::Value>&): Assertion `args[0]->IsNumber()' 
    failed.
     1: 0xb95b60 node::Abort() [/usr/local/bin/node]
     2: 0xb95bde  [/usr/local/bin/node]
     3: 0xae3c6b 
    node::AsyncWrap::QueueDestroyAsyncId(v8::FunctionCallbackInfo<v8::Value> 
    const&) [/usr/local/bin/node]
     4: 0xdcd3e0  [/usr/local/bin/node]
     5: 0xdce91f v8::internal::Builtin_HandleApiCall(int, unsigned long*, 
    v8::internal::Isolate*) [/usr/local/bin/node]
     6: 0x170dfb9  [/usr/local/bin/node]
    Aborted (core dumped)
    error Command failed with exit code 134.