PyV8 + lxml segfault issue on V8 garbage collection

[GoogleCodeExporter]

What steps will reproduce the problem?

The following code uses the lxml library + PyV8.

import lxml
import lxml.html

import PyV8

class Obj(PyV8.JSClass):
    """    
    """
    def __init__(self, node):
        self.node = node

class Global(PyV8.JSClass):

    def __init__(self):
        self.wraped = Obj(lxml.html.fromstring("<html></html>").xpath("//html")[0])

for i in range(0, 100):
    with PyV8.JSContext(Global()) as ctx:

        print "Test #%s" % i

        ctx.eval("""

            // Fill Memory To Force Garbage Collection
            var x = new Array();

            for(var i =0; i < 100000; i++) {
                x[i] = i;
            }

            var x = wraped;
        """)

What is the expected output? What do you see instead?

I am seeing a segfault after V8 garbage collection runs. During the call to 
m_object.reset(); in the ObjectTracer destructor.  

A gdb backtrace starting from V8 garbage collection is shown below:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004b5057 in PyErr_Fetch ()
(gdb) bt
#0  0x00000000004b5057 in PyErr_Fetch ()
#1  0x00007ffff66cc1ac in ?? () from 
/usr/lib/python2.6/dist-packages/lxml/etree.so
#2  0x000000000046d2d8 in ?? ()
#3  0x000000000044fc53 in ?? ()
#4  0x000000000046d327 in ?? ()
#5  0x000000000044fc53 in ?? ()
#6  0x000000000046d327 in ?? ()
#7  0x00007ffff4b8f7fb in ~object_base (this=0x938580, __in_chrg=<value 
optimized out>) at /usr/include/boost/python/object_core.hpp:509
#8  ~object (this=0x938580, __in_chrg=<value optimized out>) at 
/usr/include/boost/python/object_core.hpp:311
#9  std::auto_ptr<boost::python::api::object>::reset (this=0x938580, 
__in_chrg=<value optimized out>)
    at /usr/include/c++/4.4/backward/auto_ptr.h:242
#10 ~ObjectTracer (this=0x938580, __in_chrg=<value optimized out>) at 
src/Wrapper.cpp:1993
#11 0x00007ffff4b8f961 in ~auto_ptr (value=<value optimized out>, 
parameter=0x938580) at /usr/include/c++/4.4/backward/auto_ptr.h:168
#12 ObjectTracer::WeakCallback (value=<value optimized out>, 
parameter=0x938580) at src/Wrapper.cpp:2058
#13 0x00007ffff4c3a152 in 
v8::internal::GlobalHandles::Node::PostGarbageCollectionProcessing 
(this=0xbee1c8, isolate=0xbd54c0, 
    global_handles=0xb7da30) at src/global-handles.cc:201
#14 0x00007ffff4c38c3f in 
v8::internal::GlobalHandles::PostGarbageCollectionProcessing (this=0xb7da30) at 
src/global-handles.cc:428
#15 0x00007ffff4c56306 in v8::internal::Heap::PerformGarbageCollection 
(this=0xbd5558, collector=v8::internal::MARK_COMPACTOR, 
    tracer=0x7fffffffd070) at src/heap.cc:778
#16 0x00007ffff4c557f3 in v8::internal::Heap::CollectGarbage (this=0xbd5558, 
space=v8::internal::NEW_SPACE, 
    collector=v8::internal::MARK_COMPACTOR) at src/heap.cc:510
#17 0x00007ffff4c05e53 in v8::internal::Heap::CollectGarbage (this=0xbd5558, 
space=v8::internal::NEW_SPACE) at src/heap-inl.h:427

What version of the product are you using? On what operating system?

Linux x64.  PyV8 around r356.

Please provide any additional information below.

I'm not sure if this is an lxml issue or not.  It appears to be caused by some 
kind of double delete/dereference.

Original issue reported on code.google.com by ATM1...@gmail.com on 8 Sep 2011 at 8:45

[GoogleCodeExporter]

Original comment by flier...@gmail.com on 14 Sep 2011 at 8:57

• Changed state: Accepted

[GoogleCodeExporter]

The crash is very strange, if you add a collect call after the eval, it will 
run very well.

    with PyV8.JSContext(Global()) as ctx:

       print "Test #%s" % i

       ctx.eval(...)

       PyV8.JSEngine.collect()

When I'm debugging the code, it crashed in the etree module, even the Obj 
object is correct.

    python26.dll!1e0df375()     
    [Frames below may be incorrect and/or missing, no symbols loaded for python26.dll]  
    etree.pyd!020ce019()    
    python26.dll!1e0a83a6()     
    python26.dll!1e086879()     
    python26.dll!1e0a8353()     
>   _PyV8.pyd!ObjectTracer::~ObjectTracer()  Line 1370 + 0x36 bytes C++
    d422e900()  

Original comment by flier...@gmail.com on 14 Sep 2011 at 9:55

• Added labels: OpSys-All