Closed Bug 1199345 Opened 9 years ago Closed 9 years ago

Assertion failure: i < (1 << 24), at mozilla-central/js/src/jsopcode.h:214

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 --- affected
firefox44 --- fixed

People

(Reporter: anba, Assigned: arai)

References

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

Extend JSOP_NEWARRAY/JSOP_INITELEM_ARRAY/JSOP_SPREADCALLARRAY operand to uint32.
15.29 KB, patch
Waldo
: review+
Details | Diff | Splinter Review 
Test case:
---
Function(`return [${",".repeat(16777215 + 1)}].length`)()
---

Assertion failure: i < (1 << 24), at /home/andre/hg/mozilla-central/js/src/jsopcode.h:214


Stack trace:
---
#0  0x0000000000666de2 in SET_UINT24 (pc=0x7ffff3c16800 "Z", i=16777216) at /home/andre/hg/mozilla-central/js/src/jsopcode.h:214
#1  0x00000000006a2509 in js::frontend::BytecodeEmitter::emitArray (this=0x7fffffffbbf8, pn=0x7ffff698a178, count=16777216, op=JSOP_NEWARRAY)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:7267
#2  0x00000000006a4ab5 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbbf8, pn=0x7ffff698a140)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:8005
#3  0x0000000000691b8b in js::frontend::BytecodeEmitter::emitPropLHS (this=0x7fffffffbbf8, pn=0x7fffb7485f70)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:2578
#4  0x0000000000691c89 in js::frontend::BytecodeEmitter::emitPropOp (this=0x7fffffffbbf8, pn=0x7fffb7485f70, op=JSOP_GETPROP)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:2598
#5  0x00000000006a4506 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbbf8, pn=0x7fffb7485f70)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:7879
#6  0x000000000069e121 in js::frontend::BytecodeEmitter::emitReturn (this=0x7fffffffbbf8, pn=0x7fffb7485fa8)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6096
#7  0x00000000006a3f37 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbbf8, pn=0x7fffb7485fa8)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:7711
#8  0x000000000069f431 in js::frontend::BytecodeEmitter::emitStatementList (this=0x7fffffffbbf8, pn=0x7ffff698a108, top=0)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6373
#9  0x00000000006a3fe0 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbbf8, pn=0x7ffff698a108)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:7728
#10 0x00000000006a3d15 in js::frontend::BytecodeEmitter::emitTree (this=0x7fffffffbbf8, pn=0x7ffff698a058)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:7658
#11 0x0000000000694c62 in js::frontend::BytecodeEmitter::emitFunctionScript (this=0x7fffffffbbf8, body=0x7ffff698a058)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeEmitter.cpp:3437
#12 0x000000000068876d in BytecodeCompiler::compileFunctionBody (this=0x7fffffffaf40, fun=..., formals=..., generatorKind=js::NotGenerator)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:703
#13 0x0000000000689789 in CompileFunctionBody (cx=0x7ffff6908c00, fun=..., options=..., formals=..., srcBuf=..., enclosingStaticScope=..., 
    generatorKind=js::NotGenerator) at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:896
#14 0x0000000000689802 in js::frontend::CompileFunctionBody (cx=0x7ffff6908c00, fun=..., options=..., formals=..., srcBuf=..., enclosingStaticScope=...)
    at /home/andre/hg/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:906
#15 0x0000000000d94d80 in FunctionConstructor (cx=0x7ffff6908c00, argc=1, vp=0x7ffff3df60a8, generatorKind=js::NotGenerator)
    at /home/andre/hg/mozilla-central/js/src/jsfun.cpp:1927
#16 0x0000000000d94ece in js::Function (cx=0x7ffff6908c00, argc=1, vp=0x7ffff3df60a8) at /home/andre/hg/mozilla-central/js/src/jsfun.cpp:1935
#17 0x0000000000768362 in js::CallJSNative (cx=0x7ffff6908c00, native=0xd94ea3 <js::Function(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/andre/hg/mozilla-central/js/src/jscntxtinlines.h:235
#18 0x0000000000732f28 in js::Invoke (cx=0x7ffff6908c00, args=..., construct=js::NO_CONSTRUCT)
    at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:763
#19 0x0000000000742899 in Interpret (cx=0x7ffff6908c00, state=...) at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:3054
#20 0x0000000000732b66 in js::RunScript (cx=0x7ffff6908c00, state=...) at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:704
#21 0x000000000073420b in js::ExecuteKernel (cx=0x7ffff6908c00, script=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, 
    evalInFrame=..., result=0x7fffffffd420) at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:978
#22 0x0000000000734510 in js::Execute (cx=0x7ffff6908c00, script=..., scopeChainArg=..., rval=0x7fffffffd420)
    at /home/andre/hg/mozilla-central/js/src/vm/Interpreter.cpp:1012
#23 0x0000000000d39775 in ExecuteScript (cx=0x7ffff6908c00, scope=..., script=..., rval=0x7fffffffd420)
    at /home/andre/hg/mozilla-central/js/src/jsapi.cpp:4353
#24 0x0000000000d39b08 in JS_ExecuteScript (cx=0x7ffff6908c00, scriptArg=..., rval=...) at /home/andre/hg/mozilla-central/js/src/jsapi.cpp:4378
#25 0x000000000042ff7c in EvalAndPrint (cx=0x7ffff6908c00, 
    bytes=0x7ffff3dfdcc0 "Function(`return [${\",\".repeat(16777215 + 1)}].length`)()\n\245\245\245\245\245\245", length=58, lineno=1, compileOnly=false, 
    out=0x7ffff6f6a740 <_IO_2_1_stdout_>) at /home/andre/hg/mozilla-central/js/src/shell/js.cpp:486
#26 0x0000000000430442 in ReadEvalPrintLoop (cx=0x7ffff6908c00, in=0x7ffff6f69980 <_IO_2_1_stdin_>, out=0x7ffff6f6a740 <_IO_2_1_stdout_>, 
    compileOnly=false) at /home/andre/hg/mozilla-central/js/src/shell/js.cpp:550
#27 0x0000000000430605 in Process (cx=0x7ffff6908c00, filename=0x0, forceTTY=true) at /home/andre/hg/mozilla-central/js/src/shell/js.cpp:581
#28 0x00000000004451d4 in ProcessArgs (cx=0x7ffff6908c00, op=0x7fffffffd940) at /home/andre/hg/mozilla-central/js/src/shell/js.cpp:5800
#29 0x000000000044641c in Shell (cx=0x7ffff6908c00, op=0x7fffffffd940, envp=0x7fffffffdb48) at /home/andre/hg/mozilla-central/js/src/shell/js.cpp:6109
#30 0x0000000000447736 in main (argc=1, argv=0x7fffffffdb38, envp=0x7fffffffdb48) at /home/andre/hg/mozilla-central/js/src/shell/js.cpp:6455
---
arai, it seems you added the call to SET_UINT24 and you have experience with the BytecodeEmitter. Any chance you would be interested in solving this? :)
Flags: needinfo?(arai.unmht)
Looks like a regression from bug 686274.  There the limit of array literal length is changed form 491519 to 2**28-1, that overflows from JSOP_NEWARRAY's 24bit operand.  It also means that elements after 2**24 are not initialized correctly when JSOP_NEWARRAY_COPYONWRITE is not usable, because JSOP_INITELEM_ARRAY's operand is also 24bit.

There will be some solutions:
  (a) limit the array literal length to 2**24-1
  (b) if length overflows from 24bit, use 0xffffff for JSOP_NEWARRAY operand and use JSOP_INITELEM_INC for remaining elements
  (c) extend operand of JSOP_NEWARRAY, JSOP_INITELEM_ARRAY, and JSOP_SPREADCALLARRAY to 32bit

(a) should be the simplest, but it might be a breaking change (I think it's super rare case tho)
I'll also investigate about (c).

Waldo, how do you think?
Blocks: 686274
Flags: needinfo?(arai.unmht) → needinfo?(jwalden+bmo)
Keywords: regression
Looks like extending opcodes to 32bit works
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=19804c1395fe
Go with c.
Flags: needinfo?(jwalden+bmo)
Added test code in comment #0, but it takes long time if --ion-eager or --baseline-eager is specified.

  time taken by long-array-literal.js
     time | options
    ------+---------------
      2.3 | ""
     11.8 | "--ion-eager --ion-offthread-compile=off"
     12.0 | "--ion-eager --ion-offthread-compile=off --non-writable-jitcode --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads"
     11.6 | "--baseline-eager"
     11.7 | "--baseline-eager --no-fpu"
      2.2 | "--no-baseline --no-ion"

Are these acceptable?
Assignee: nobody → arai.unmht
Attachment #8655175 - Flags: review?(jwalden+bmo)
Comment on attachment 8655175 [details] [diff] [review]
Extend JSOP_NEWARRAY/JSOP_INITELEM_ARRAY/JSOP_SPREADCALLARRAY operand to uint32.

Review of attachment 8655175 [details] [diff] [review]:
-----------------------------------------------------------------

An 11-second test doesn't horribly bother me.  I'd say it's fine landing it.

::: js/src/jit/BaselineIC.cpp
@@ +4156,1 @@
>          if (!InitArrayElemOperation(cx, pc, obj, index.toInt32(), rhs))

The context here is:

    // Check the old capacity
    uint32_t oldCapacity = 0;
    uint32_t oldInitLength = 0;
    if (index.isInt32() && index.toInt32() >= 0) {
        oldCapacity = GetAnyBoxedOrUnboxedCapacity(obj);
        oldInitLength = GetAnyBoxedOrUnboxedInitializedLength(obj);
    }

    if (op == JSOP_INITELEM) {
        if (!InitElemOperation(cx, obj, index, rhs))
            return false;
    } else if (op == JSOP_INITELEM_ARRAY) {
        MOZ_ASSERT(uint32_t(index.toInt32()) == GET_UINT24(pc));
        if (!InitArrayElemOperation(cx, pc, obj, index.toInt32(), rhs))
            return false;

We're passing a uint32_t here, as an int32_t, and relying on modular wraparound.  But that |index.toInt32() >= 0| above treats negative indexes as *actually* negative.  And if I look further on, there seem to be a bunch of places that are going to get in trouble of various sorts if oldCapacity/etc. are wrong, or if index is a negative int32_t, in ways that don't obviously appear "okay".  (Certainly some places will just deopt, but I'm not sure all of them will.)

So I think we still need a limit, besides UINT32_MAX here.  I think you should also (in addition to this 32-bit offset thing in the bytecode) add to the parser code to ensure we error out with some sort of too-large notification if the array literal grows too big.  2**24 wasn't a bad limit, but might as well bump it all the way to INT32_MAX while you're here.  But definitely we need an actual check, to avoid overflowing the new 31-bit boundary instead of the old 24-bit boundary.  (Maybe we could rely on the JS heap never growing that big, but I'd rather not.  :-) )

::: js/src/jit/IonBuilder.cpp
@@ +6838,5 @@
>          }
>      }
>  
>      if (needStub) {
> +        MCallInitElementArray* store = MCallInitElementArray::New(alloc(), obj, GET_UINT32(pc), value);

Split out GET_UINT32(pc) into a |uint32_t index| and use that in these two places.
Attachment #8655175 - Flags: review?(jwalden+bmo) → review-
Added 31-bit boundary check in several places.
Currently the length of the array literal is limited to NativeObject::NELEMENTS_LIMIT in parser, and overflow is reported there, so added check for |NativeObject::NELEMENTS_LIMIT <= INT32_MAX| to catch the change there in future.
Also, changed |jsatomid atomIndex;| to |uint32_t index;| in BytecodeEmitter::emitArray, as that's not an atom but just an index.
Attachment #8655175 - Attachment is obsolete: true
Attachment #8657385 - Flags: review?(jwalden+bmo)
Comment on attachment 8657385 [details] [diff] [review]
Extend JSOP_NEWARRAY/JSOP_INITELEM_ARRAY/JSOP_SPREADCALLARRAY operand to uint32.

Review of attachment 8657385 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/frontend/BytecodeEmitter.cpp
@@ +7271,5 @@
>  
> +    // Array literal's length is limited to NELEMENTS_LIMIT in parser.
> +    static_assert(NativeObject::NELEMENTS_LIMIT <= INT32_MAX,
> +                  "Array literal's maximum length shouldn't be greater than INT32_MAX");
> +    MOZ_ASSERT(count <= INT32_MAX);

Move this down after the spread-loop, because it's relevant to the emitUint32Operand call, not to the loop after this.  The reason-string should be something like, "array literals' maximum length must not exceed limits required by BaselineCompiler::emit_JSOP_NEWARRAY, BaselineCompiler::emit_JSOP_INITELEM_ARRAY, and DoSetElemFallback's handling of JSOP_INITELEM_ARRAY" -- point at the sibling code that depends upon this.

Good to see nspread made a uint32_t in passing.

Further on that, please also add MOZ_ASSERT(count >= nspread) as a sanity check against underflow.

::: js/src/jit-test/tests/arrays/long-array-literal.js
@@ +1,3 @@
> +function test() {
> +  let x = 42;
> +  let a = eval(`[${",".repeat(16777215 + 1)}x];`);

Do we want a similar version of this that tests the spreadcallarray stuff as well (I guess by tacking ', ...[]' onto the end of the literal)?  Seems like yes.

::: js/src/jit/BaselineCompiler.cpp
@@ +1781,5 @@
>  {
>      frame.syncStack(0);
>  
> +    uint32_t length = GET_UINT32(pc);
> +    MOZ_ASSERT(length <= INT32_MAX);

Augment this with a reason similar to what I mention for BaselineIC.cpp.

@@ +1786,3 @@
>  
>      // Pass length in R0.
>      masm.move32(Imm32(length), R0.scratchReg());

Use AssertedCast<int32_t>(length), from mozilla/Casting.h.

@@ +1839,5 @@
>  
>      // Load object in R0, index in R1.
>      masm.loadValue(frame.addressOfStackValue(frame.peek(-2)), R0);
> +    uint32_t index = GET_UINT32(pc);
> +    MOZ_ASSERT(index <= INT32_MAX);

Similar reason-adding.

::: js/src/jit/BaselineIC.cpp
@@ +4152,5 @@
>          if (!InitElemOperation(cx, obj, index, rhs))
>              return false;
>      } else if (op == JSOP_INITELEM_ARRAY) {
> +        MOZ_ASSERT(uint32_t(index.toInt32()) == GET_UINT32(pc));
> +        MOZ_ASSERT(uint32_t(index.toInt32()) <= INT32_MAX);

Add an explanation to the second assertion:

        MOZ_ASSERT(uint32_t(index.toInt32()) <= INT32_MAX,
                   "the bytecode emitter must fail to compile code that would "
                   "produce JSOP_INITELEM_ARRAY with an index exceeding "
                   int32_t range");

Also, do this assertion before doing the equals-index-in-bytecode assertion.  First check that the given value is in the right range.  *Then* check that the value now known to be in the right range, corresponds with the value burned into the script.  If uint32_t(index) doesn't make sense because index is negative, a comparison to it makes even less sense.  See what I mean?

I kind of want to say just ignore |index| entirely (except for purposes of assertions) and use GET_UINT32(pc) instead, but it feels to me like the |pc| argument to this function should eventually die, so I"m not going to suggest it.

::: js/src/jit/IonBuilder.cpp
@@ +6712,5 @@
>  
>  bool
>  IonBuilder::jsop_newarray(uint32_t count)
>  {
> +    MOZ_ASSERT(count <= INT32_MAX);

This one, and the one below it, I'd say we should remove.

The distinction is that *if* you passed in a bigger int32_t here, nothing would go wrong (you'd allocation-overflow, but that's not *wrong* behavior).  We should only assert <= INT32_MAX when the code will do a wrong thing if the assertion failed.  But here, and just below (and in the interpreter case), there's no mis-interpretation of uint32_t(-1) as -1 or whatever.  If at some time we made lengths > INT32_MAX actually work, this code would need no changes to support it.

::: js/src/vm/Interpreter.cpp
@@ +3604,5 @@
>  CASE(JSOP_NEWARRAY)
>  CASE(JSOP_SPREADCALLARRAY)
>  {
> +    uint32_t length = GET_UINT32(REGS.pc);
> +    MOZ_ASSERT(length <= INT32_MAX);

Remove this assertion and the similar one below, IMO -- nothing goes wrong if a non-int32_t is passed in here, the APIs accept uint32_t and don't do anything wrong if passed a super-big uint32_t.  (They'd throw allocation-overflow, but that's not wrong or misinterpreting a uint32_t as int32_t or whatever.)

::: js/src/vm/Opcodes.h
@@ +844,5 @@
>      /*
>       * Pushes newly created array onto the stack.
>       *
>       * This opcode takes the final length, which is preallocated.
> +     * 'length' should be less than or equal to INT32_MAX.

So actually, I'm not sure I'd put this in here.  (Same for all the other comments in this file's changes.)

That this will fail at runtime isn't a characteristic of the bytecode format.  It's just an extra restriction applied to the semantics of bytecode emission for certain source text.  I think it's perfectly fine to not state this, to not assert it, and to leave the not-too-large checks to runtime tests (such checks being necessary for other reasons, we're not adding any extra code for them).
Attachment #8657385 - Flags: review?(jwalden+bmo) → review+
Comment on attachment 8657385 [details] [diff] [review]
Extend JSOP_NEWARRAY/JSOP_INITELEM_ARRAY/JSOP_SPREADCALLARRAY operand to uint32.

Review of attachment 8657385 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/frontend/BytecodeEmitter.cpp
@@ +7271,5 @@
>  
> +    // Array literal's length is limited to NELEMENTS_LIMIT in parser.
> +    static_assert(NativeObject::NELEMENTS_LIMIT <= INT32_MAX,
> +                  "Array literal's maximum length shouldn't be greater than INT32_MAX");
> +    MOZ_ASSERT(count <= INT32_MAX);

Actually, forgot to mention it, but make this MOZ_ASSERT(count <= NativeObject::NELEMENTS_LIMIT).  That's the real limit observable here, and something's just as wrong in our understanding (and desirous of an assertion to note it) if we get a count still int32_t but greater than this limit.
Thank you for reviewing :)

Then, another trouble happens. The test takes so much RAM, maybe 4GB or 5GB per single js process.

The test hits OOM on try server (c3.xlarge, 7.5GB RAM)
  https://treeherder.mozilla.org/#/jobs?repo=try&revision=485a94c22c98

Also, it hits timeout on my linux box (4GB RAM).  sorry, I should've tested on this too :P
Setting longer timeout hits OOM after 1000sec, and so much swap happens.
Longer timeout and running sequentially (-j1) doesn't hit OOM, but still takes too long (600sec totally, with 6 variants for single test).

comment #5 was the result on iMac Late 2013 (16GB RAM) it doesn't hit OOM nor timeout.  but I saw single js process takes 4.7GB while testing with -j4.

So, Looks like we shouldn't enable test for this bug by default, even on opt build :/
Do you think it's okay to add |slow|?  or we should just remove the test?
Flags: needinfo?(jwalden+bmo)
Hm, even for slow is probably a nasty surprise.  I think that runs on tinderbox but not locally, but even tinderbox infra may not like a 5GB allocation.  And certainly I'd be in trouble, sometimes, if a 5GB allocation spontaneously happened on my system.  I guess just don't land a test.

(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #9)
> > +    // Array literal's length is limited to NELEMENTS_LIMIT in parser.
> > +    static_assert(NativeObject::NELEMENTS_LIMIT <= INT32_MAX,
> > +                  "Array literal's maximum length shouldn't be greater than INT32_MAX");
> > +    MOZ_ASSERT(count <= INT32_MAX);
> 
> Actually, forgot to mention it, but make this MOZ_ASSERT(count <=
> NativeObject::NELEMENTS_LIMIT).

Er, count < NELEMENTS_LIMIT, that should be.  Unless we change its name/meaning at some point before this patchwork lands, at least.
Flags: needinfo?(jwalden+bmo)
backed out to backout depending patches.
https://hg.mozilla.org/integration/mozilla-inbound/rev/92c771c3f3e2
https://hg.mozilla.org/mozilla-central/rev/f46afea54f1c
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: