1209026 - Crash [@ js::jit::AssemblerX86Shared::bind]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 6256ec9113c1 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-extra-checks --baseline-eager):

function oomTest(f) {
    var i = 1;
    var more;
    do {
        try {
            oomAtAllocation(i);
            f();
            more = resetOOMFailure();
        } catch (e) {
            more = resetOOMFailure();
        }
        i++;
    } while(more);
}
oomTest(() => getBacktrace({
	thisprops: gc() && delete addDebuggee.enabled        
}));



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5ac2700 (LWP 25832)]
js::jit::AssemblerX86Shared::bind (this=0x7ffff47c9058, label=0x0) at js/src/jit/x86-shared/Assembler-x86-shared.h:932
#0  js::jit::AssemblerX86Shared::bind (this=0x7ffff47c9058, label=0x0) at js/src/jit/x86-shared/Assembler-x86-shared.h:932
#1  0x0000000000930205 in js::jit::CodeGenerator::getJumpLabelForBranch (this=this@entry=0x7ffff47c9000, block=0x7ffff47f0598) at js/src/jit/CodeGenerator.cpp:664
#2  0x00000000009530e2 in js::jit::CodeGenerator::visitTestVAndBranch (this=0x7ffff47c9000, lir=0x7ffff69ecc60) at js/src/jit/CodeGenerator.cpp:709
#3  0x0000000000991946 in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff47c9000) at js/src/jit/CodeGenerator.cpp:4149
#4  0x000000000099207a in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff47c9000) at js/src/jit/CodeGenerator.cpp:7859
#5  0x0000000000992291 in js::jit::GenerateCode (mir=mir@entry=0x7ffff47ed258, lir=0x7ffff69e9980) at js/src/jit/Ion.cpp:1954
#6  0x0000000000992385 in js::jit::CompileBackEnd (mir=0x7ffff47ed258) at js/src/jit/Ion.cpp:1976
#7  0x00000000006668dd in js::HelperThread::handleIonWorkload (this=this@entry=0x7ffff6933a78) at js/src/vm/HelperThreads.cpp:1156
#8  0x000000000066789a in js::HelperThread::threadLoop (this=0x7ffff6933a78) at js/src/vm/HelperThreads.cpp:1458
#9  0x00000000006b9911 in nspr::Thread::ThreadRoutine (arg=0x7ffff6931180) at js/src/vm/PosixNSPR.cpp:45
#10 0x00007ffff7bc4182 in start_thread (arg=0x7ffff5ac2700) at pthread_create.c:312
#11 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x0	0
rcx	0xa	10
rdx	0x400	1024
rsi	0xe0a9aa	14723498
rdi	0xa	10
rbp	0x7ffff5ac1a60	140737315084896
rsp	0x7ffff5ac1a10	140737315084816
r8	0xe0bab8	14727864
r9	0xe0d574	14734708
r10	0x7ffff47c9998	140737295194520
r11	0xa010eb80	2685463424
r12	0x29cb	10699
r13	0x29cb	10699
r14	0x7ffff47f0598	140737295353240
r15	0x7ffff47c9058	140737295192152
rip	0x5b9382 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+82>
=> 0x5b9382 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+82>:	cmpb   $0x0,0x3(%rbx)
   0x5b9386 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+86>:	jns    0x5b9390 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+96>


Marking as fuzzblocker because I see more crashes related to this that I cannot easily match with a signature.

Comment 1

[Jan de Mooij [:jandem]]

Hm this might be related to a topcrash with that signature. Will take a look today.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

Use infallible allocation for Labels.

Comment 3

[Jon Coppeard (:jonco)]

Comment on attachment 8666685 [details] [diff] [review]
Patch

Review of attachment 8666685 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

::: js/src/jit-test/tests/gc/oomInGetJumpLabelForBranch.js
@@ +1,1 @@
> +// |jit-test| allow-unhandlable-oom; allow-oom

We don't need this, or possibly it should just be "|jit-test| --no-threads" only.

The test should catch the OOM so we don't want 'allow-oom' and we don't need 'allow-unhandlable-oom' because the framework skips those allocations.

Comment 4

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/6ffa14c65354
user:        Jon Coppeard
date:        Fri May 22 18:52:38 2015 +0100
summary:     Bug 1155618 - Add better support for testing OOM behaviour r=terrence

This iteration took 193.000 seconds to run.

Comment 5

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 891ee0d0ba3e).

Comment 6

[Jan de Mooij [:jandem]]

(In reply to Jon Coppeard (:jonco) from comment #3)
> > +// |jit-test| allow-unhandlable-oom; allow-oom
> 
> We don't need this, or possibly it should just be "|jit-test| --no-threads"
> only.

The "allow-unhandlable-oom" was because we hit the CrashAtUnhandlableOOM in ExceptionHandlerBailout, but bug 1210760 should fix that :) Will do another try push to confirm.

Comment 7

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2e1d5292d55f

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/2e1d5292d55f

Comment 10

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Hi Jan, this crash signature is ranked #4 in top crashers on 45 Release. Would you be able to help investigate the reports and see if there any useful information in the latest crash reports? Thanks!

Comment 11

[Jan de Mooij [:jandem]]

(In reply to Ritu Kothari (:ritu) from comment #10)
> Hi Jan, this crash signature is ranked #4 in top crashers on 45 Release.
> Would you be able to help investigate the reports and see if there any
> useful information in the latest crash reports? Thanks!

Thanks for the reminder. I'll move this NI to bug 1124397.