Illegal "udf" Instruction on armv7

[NikoDelarich]

• Version: v12.4.0
• Platform: Linux SAMA5D3 4.4.122 deps: update openssl to 1.0.1j #1 PREEMPT Thu Nov 15 10:52:12 CET 2018 armv7l GNU/Linux
• Subsystem: ?

Dear maintainers,

After updating nodejs to 12.4.0 running "node" produces the following error:

#
# Fatal error in , line 0
# unreachable code
#
#
#
#FailureMessage Object: 0xbefff0c0

The process then crashes with an illegal instruction error:

[ 4360.366000] CPU: 0 PID: 2902 Comm: node Tainted: P           O    4.4.122 #1
[ 4360.373000] Hardware name: Atmel SAMA5
[ 4360.377000] task: cf65b180 ti: cf610000 task.ti: cf610000
[ 4360.382000] PC is at 0x100eb84
[ 4360.385000] LR is at 0x1009ea0
[ 4360.388000] pc : [<0100eb84>]    lr : [<01009ea0>]    psr: 20000010
[ 4360.388000] sp : befff0b8  ip : 00000000  fp : befff2d4
[ 4360.400000] r10: 00000001  r9 : 00000000  r8 : 00000001
[ 4360.405000] r7 : 00000000  r6 : 01745fa8  r5 : befff2dc  r4 : 01bca424
[ 4360.412000] r3 : 00000001  r2 : 00000001  r1 : 00000000  r0 : 00000000
[ 4360.418000] Flags: nzCv  IRQs on  FIQs on  Mode USER_32  ISA ARM  Segment user
[ 4360.425000] Control: 10c53c7d  Table: 2b070059  DAC: 00000055
[ 4360.431000] CPU: 0 PID: 2902 Comm: node Tainted: P           O    4.4.122 #1
[ 4360.438000] Hardware name: Atmel SAMA5
[ 4360.442000] [<c0013e1c>] (unwind_backtrace) from [<c00122a4>] (show_stack+0x10/0x14)
[ 4360.450000] [<c00122a4>] (show_stack) from [<c0029e2c>] (get_signal+0x534/0x5a0)
[ 4360.457000] [<c0029e2c>] (get_signal) from [<c0011838>] (do_signal+0x74/0x3a4)
[ 4360.465000] [<c0011838>] (do_signal) from [<c0011ce4>] (do_work_pending+0x68/0xac)
[ 4360.472000] [<c0011ce4>] (do_work_pending) from [<c000eb80>] (slow_work_pending+0xc/0x20)

Here are my config options:
configure --prefix=/usr --dest-cpu=arm --with-arm-float-abi=softfp --with-arm-fpu=vfpv4-d16 --without-snapshot --shared-zlib --shared-nghttp2 --without-dtrace --without-etw --dest-os=linux --with-intl=small-icu --shared-openssl --without-npm

cat /proc/cpuinfo:

processor       : 0
model name      : ARMv7 Processor rev 1 (v7l)
BogoMIPS        : 325.63
Features        : half thumb fastmult vfp edsp vfpv3 vfpv3d16 tls vfpv4
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xc05
CPU revision    : 1

Hardware        : Atmel SAMA5

node --v8-options:

target arm v7 vfp3-d16 softfp
ARMv8=0 ARMv7=0 VFPv3=0 VFP32DREGS=0 NEON=0 SUDIV=0 USE_EABI_HARDFLOAT=0

GDB output & disassembly:

0xb6fe721c in ?? ()
(gdb) c
Continuing.

Program received signal SIGILL, Illegal instruction.
0xb6dc6580 in ?? ()
(gdb) disassemble $pc,$pc+32
Dump of assembler code from 0xb6dc6580 to 0xb6dc65a0:
=> 0xb6dc6580:	vorr	q0, q0, q0
   0xb6dc6584:	bx	lr
   0xb6dc6588:	mrrc	15, 1, r0, r1, cr14
   0xb6dc658c:	bx	lr
   0xb6dc6590:	aese.8	q0, q0
   0xb6dc6594:	bx	lr
   0xb6dc6598:	sha1c.32	q0, q0, q0
   0xb6dc659c:	bx	lr
End of assembler dump.
(gdb) c
Continuing.

Program received signal SIGILL, Illegal instruction.
0xb6dc6588 in ?? ()
(gdb) disassemble $pc,$pc+32
Dump of assembler code from 0xb6dc6588 to 0xb6dc65a8:
=> 0xb6dc6588:	mrrc	15, 1, r0, r1, cr14
   0xb6dc658c:	bx	lr
   0xb6dc6590:	aese.8	q0, q0
   0xb6dc6594:	bx	lr
   0xb6dc6598:	sha1c.32	q0, q0, q0
   0xb6dc659c:	bx	lr
   0xb6dc65a0:	sha256h.32	q0, q0, q0
   0xb6dc65a4:	bx	lr
End of assembler dump.
(gdb) c
Continuing.
[New Thread 2910]
[New Thread 2911]
[New Thread 2912]
[New Thread 2913]
[New Thread 2914]
[New Thread 2915]

Program received signal SIGILL, Illegal instruction.
0x0100eb84 in ?? ()
(gdb) disassemble /r $pc,$pc+32
Dump of assembler code from 0x100eb84 to 0x100eba4:
=> 0x0100eb84:	f0 00 f0 e7	udf	#0
   0x0100eb88:	00 48 2d e9	push	{r11, lr}
   0x0100eb8c:	04 b0 8d e2	add	r11, sp, #4
   0x0100eb90:	8d af d3 eb	bl	0x4fa9cc
   0x0100eb94:	04 b0 2d e5	push	{r11}		; (str r11, [sp, #-4]!)
   0x0100eb98:	00 b0 8d e2	add	r11, sp, #0
   0x0100eb9c:	70 00 20 e1	bkpt	0x0000
   0x0100eba0:	00 d0 8b e2	add	sp, r11, #0
End of assembler dump.
(gdb) c
Continuing.

Program terminated with signal SIGILL, Illegal instruction.
The program no longer exists.

Please let me know if more information is needed.

[bnoordhuis]

UDF (UnDeFined) is an instruction that always raises an exception. It probably means your build is hitting some code path it's not supposed to hit. What does backtrace print?

[NikoDelarich]

(gdb) backtrace
#0  0x0100eb84 in ?? ()
#1  0x01009ea0 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

[sam-github]

@nodejs/platform-arm

[bnoordhuis]

Does node --version work? That backtrace suggests it's in V8 generated code. --version doesn't call into V8.

I suppose the UDF might be the start of a constant pool. If you start disassembling a few bytes before $pc, the UDF should be preceded by a jump. Next question then of course is how control ends up there.

[NikoDelarich]

Yes, node --version returns v12.4.0.

There's a beq right before the udf:

   0x0100eb74:	91 ac d3 eb	bl	0x4f9dc0
   0x0100eb78:	04 d0 4b e2	sub	sp, r11, #4
   0x0100eb7c:	00 88 bd e8	pop	{r11, pc}
   0x0100eb80:	38 3d 09 e3	movw	r3, #40248	; 0x9d38
   0x0100eb84:	bd 31 40 e3	movt	r3, #445	; 0x1bd
   0x0100eb88:	00 30 d3 e5	ldrb	r3, [r3]
   0x0100eb8c:	00 00 53 e3	cmp	r3, #0
   0x0100eb90:	00 00 00 0a	beq	0x100eb98
=> 0x0100eb94:	f0 00 f0 e7	udf	#0
   0x0100eb98:	00 48 2d e9	push	{r11, lr}
   0x0100eb9c:	04 b0 8d e2	add	r11, sp, #4
   0x0100eba0:	89 af d3 eb	bl	0x4fa9cc
   0x0100eba4:	04 b0 2d e5	push	{r11}		; (str r11, [sp, #-4]!)
   0x0100eba8:	00 b0 8d e2	add	r11, sp, #0
   0x0100ebac:	70 00 20 e1	bkpt	0x0000
   0x0100ebb0:	00 d0 8b e2	add	sp, r11, #0

I just built a debug version of node & looked at the object dump:

0100eb80 <v8::base::OS::Abort()>:
 100eb80:       e3093d38        movw    r3, #40248      ; 0x9d38
 100eb84:       e34031bd        movt    r3, #445        ; 0x1bd
 100eb88:       e5d33000        ldrb    r3, [r3]
 100eb8c:       e3530000        cmp     r3, #0
 100eb90:       0a000000        beq     100eb98 <v8::base::OS::Abort()+0x18>
 100eb94:       e7f000f0        udf     #0
 100eb98:       e92d4800        push    {fp, lr}
 100eb9c:       e28db004        add     fp, sp, #4
 100eba0:       ebd3af89        bl      4fa9cc <abort@plt>

So it seems the udf is not executed by accident. If i run node --nohard-abort, the program crashes with SIGABRT instead of SIGILL (because v8 then calls abort() instead of V8_IMMEDIATE_CRASH()).
I guess the UNREACHABLE() macro is called somewhere?

• #define UNREACHABLE() FATAL("unreachable code")
  • #define FATAL(...) V8_Fatal("", 0, __VA_ARGS__)
    • v8::base::OS::Abort();

I'll try building node with V8 debugging enabled. The UNREACHABLE macro should then print the correct line number & maybe I'll even get a backtrace.

[NikoDelarich]

In debug mode, I get these errors before I even reach the UNREACHABLE macro invocation:

First:

#
# Fatal error in ../deps/v8/src/debug/debug-evaluate.cc, line 1047
# Check failed: sanity_check.
#
#
#
#FailureMessage Object: 0xbefff5b8

Backtrace:

#0  0x013c9674 in v8::base::OS::Abort () at ../deps/v8/src/base/platform/platform-posix.cc:399
#1  0x013c1d2c in V8_Fatal (file=file@entry=0x1b7bf84 "../deps/v8/src/debug/debug-evaluate.cc", line=line@entry=1047, format=0x1b1c440 "Check failed: %s.") at ../deps/v8/src/base/logging.cc:171
#2  0x00b16560 in v8::internal::DebugEvaluate::VerifyTransitiveBuiltins (isolate=0x1b7be10) at ../deps/v8/src/debug/debug-evaluate.cc:1047
#3  0x00d1ee40 in v8::internal::Isolate::Init (this=this@entry=0x20f21f8, read_only_deserializer=read_only_deserializer@entry=0x0, startup_deserializer=0x20f91f8, startup_deserializer@entry=0x0) at ../deps/v8/src/isolate.cc:3360
#4  0x00d1f14c in v8::internal::Isolate::InitWithoutSnapshot (this=this@entry=0x20f21f8) at ../deps/v8/src/isolate.cc:3251
#5  0x0070fd0c in v8::Isolate::Initialize (isolate=0x20f21f8, params=...) at ../deps/v8/src/api.cc:8193
#6  0x005ff3e0 in node::NodeMainInstance::NodeMainInstance (this=0xbefffb50, params=0xbefffb7c, event_loop=0x6df70c <uv__work_done>, platform=0x20ef118, args=..., exec_args=..., per_isolate_data_indexes=0x0)
    at ../src/node_main_instance.cc:63

And if I skip this check (return in gdb):

#
# Fatal error in ../deps/v8/src/heap/factory.cc, line 2855
# Debug check failed: reloc_info->length() == canonical_reloc_info->length() (6 vs. 0).
#
#
#
#FailureMessage Object: 0xbefff4c8

Backtrace:

#0  0x013c9674 in v8::base::OS::Abort () at ../deps/v8/src/base/platform/platform-posix.cc:399
#1  0x013c1d2c in V8_Fatal (file=0x1b9a1d8 "../deps/v8/src/heap/factory.cc", line=2855, format=0x1d4f52c "Debug check failed: %s.") at ../deps/v8/src/base/logging.cc:171
#2  0x013c1d40 in v8::base::(anonymous namespace)::DefaultDcheckHandler (file=<optimized out>, line=<optimized out>, message=<optimized out>) at ../deps/v8/src/base/logging.cc:56
#3  0x00bf41e4 in v8::internal::Factory::NewOffHeapTrampolineFor (this=0xbefff6b4, this@entry=0x20f21f8, code=..., off_heap_entry=off_heap_entry@entry=640446272) at ../deps/v8/src/heap/factory.cc:2855
#4  0x00d1a7f4 in CreateOffHeapTrampolines (isolate=0x20f21f8) at ../deps/v8/src/isolate.cc:3157
#5  v8::internal::Isolate::CreateAndSetEmbeddedBlob (this=this@entry=0x20f21f8) at ../deps/v8/src/isolate.cc:3231
#6  0x00d1ee90 in v8::internal::Isolate::Init (this=this@entry=0x20f21f8, read_only_deserializer=read_only_deserializer@entry=0x0, startup_deserializer=0x20f91f8, startup_deserializer@entry=0x0) at ../deps/v8/src/isolate.cc:3380
#7  0x00d1f14c in v8::internal::Isolate::InitWithoutSnapshot (this=this@entry=0x20f21f8) at ../deps/v8/src/isolate.cc:3251
#8  0x0070fd0c in v8::Isolate::Initialize (isolate=0x20f21f8, params=...) at ../deps/v8/src/api.cc:8193
#9  0x005ff3e0 in node::NodeMainInstance::NodeMainInstance (this=0xbefffb50, params=0xbefffb7c, event_loop=0x6df70c <uv__work_done>, platform=0x20ef118, args=..., exec_args=..., per_isolate_data_indexes=0x0)
    at ../src/node_main_instance.cc:63

[NikoDelarich]

Alright, this is the location where my original UNREACHABLE error is triggered:

#
# Fatal error in ../deps/v8/src/objects/js-array-buffer.cc, line 287
# unreachable code
#
#
#
#FailureMessage Object: 0xbec4d040Illegal instruction

ExternalArrayType JSTypedArray::type() {
  switch (elements()->map()->instance_type()) {
#define INSTANCE_TYPE_TO_ARRAY_TYPE(Type, type, TYPE, ctype) \
  case FIXED_##TYPE##_ARRAY_TYPE:                            \
    return kExternal##Type##Array;

    TYPED_ARRAYS(INSTANCE_TYPE_TO_ARRAY_TYPE)
#undef INSTANCE_TYPE_TO_ARRAY_TYPE

    default:
      UNREACHABLE();
  }
}

[NikoDelarich]

FYI: Node v8.12.0 & v10.15.3 seem to work without any problems.

[bnoordhuis]

v12.5.0 was released yesterday, can you try that? It contains a couple of fixes to the ARM code.

Also, this only happens when you build from source? Do the release binaries from https://nodejs.org/dist/latest-v12.x/ work?

[NikoDelarich]

Sure - I've already started compiling v12.5.0. (I'm using buildroot btw. - in case it makes any difference)
I don't think I can use the release binaries as they seem to be for hard-float systems only and I'm stuck with softfp...

[NikoDelarich]

I can't get v12.5.0 to build. It fails while trying to build a snapshot, even though I explicitly specified "--without-snapshot" & "--without-node-snapshot"...?

Snapshot/Assembler errors:

~/build/nodejs-12.5.0/out/Release/obj.target/v8_snapshot/geni/embedded.S: Assembler messages:
~/build/nodejs-12.5.0/out/Release/obj.target/v8_snapshot/geni/embedded.S:380: Error: unrecognized symbol type ""
... hundreds of lines ...
~/build/nodejs-12.5.0/out/Release/obj.target/v8_snapshot/geni/embedded.S:42842: Error: unrecognized symbol type ""
~/build/nodejs-12.5.0/out/Release/obj.target/v8_snapshot/geni/embedded.S:42850: Error: unrecognized symbol type ""
/tmp/ccDTyy43.s: Error: unaligned opcodes detected in executable segment
~/build/nodejs-12.5.0/out/Release/obj.target/v8_snapshot/geni/embedded.S:42861: Error: bad relocation fixup type (1)

./configure --prefix=/usr --dest-cpu=arm --with-arm-float-abi=softfp --with-arm-fpu=vfpv4-d16 --without-snapshot --without-node-snapshot --shared-zlib --shared-nghttp2 --without-dtrace --without-etw --dest-os=linux --with-intl=small-icu --shared-openssl --without-npm

[targos]

@NikoDelarich I just opened #28467 which should fix this issue with V8 snapshot. Can you try to apply it on top of v12.5.0?

[NikoDelarich]

@targos Thanks a lot - that fixed my build!
It seems to work now: I can launch node & get a prompt :-) I will do further tests tomorrow.

[NikoDelarich]

Everything seems to work - thank you!