1298139 - Crash [@ js::jit::BytecodeAnalysis::info]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, critical)

Description

[Gary Kwong [:gkw] [:nth10sd]]

The following testcase crashes on mozilla-central revision bd7645928990 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-loop-unrolling=on):

// jsfunfuzz-generated
oomTest(
    new Function("\
        eval(\"\
            /* Adapted from randomly chosen test: js/src/jit-test/tests/jaeger/recompile/memory-01.js */ \
            (function() {\
                for (var i = 0; i < 999; i++) {}\
            })();\
        \")\
    ")
)


Backtrace:

0   js-dbg-64-dm-clang-darwin-bd7645928990	0x000000010fd78204 js::jit::BytecodeAnalysis::info(unsigned char*) + 20 (BytecodeAnalysis.h:51)
1   js-dbg-64-dm-clang-darwin-bd7645928990	0x000000010fd5ac9d js::jit::MBasicBlock::inherit(js::jit::TempAllocator&, js::jit::BytecodeAnalysis*, js::jit::MBasicBlock*, unsigned int, unsigned int) + 429 (MIRGraph.cpp:531)
2   js-dbg-64-dm-clang-darwin-bd7645928990	0x000000010fd5aa88 js::jit::MBasicBlock::New(js::jit::MIRGraph&, js::jit::BytecodeAnalysis*, js::jit::CompileInfo const&, js::jit::MBasicBlock*, js::jit::BytecodeSite*, js::jit::MBasicBlock::Kind) + 520 (MIRGraph.cpp:274)
3   js-dbg-64-dm-clang-darwin-bd7645928990	0x000000010fcc8bc2 js::jit::UnrollLoops(js::jit::MIRGraph&, mozilla::Vector<js::jit::LoopIterationBound*, 0ul, js::SystemAllocPolicy> const&) + 1506 (LoopUnroller.cpp:215)
4   js-dbg-64-dm-clang-darwin-bd7645928990	0x000000010fc0c8fd js::jit::OptimizeMIR(js::jit::MIRGenerator*) + 5101 (Ion.cpp:1781)
5   js-dbg-64-dm-clang-darwin-bd7645928990	0x000000010fc17f13 js::jit::CompileBackEnd(js::jit::MIRGenerator*) + 67 (Ion.cpp:2025)
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd]]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd]]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/4b5c2c00f20a
user:        Nicolas B. Pierron
date:        Mon Jun 20 13:54:08 2016 +0000
summary:     Bug 1264948 part 1 - Register if the LifoAlloc is supposed to be infallible or not. r=jonco,h4writer

Nicolas, setting needinfo? from you again.

Comment 3

[Gary Kwong [:gkw] [:nth10sd]]

Attachment: OOM_VERBOSE=1 stack from m-c rev bd7645928990

Comment 4

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 8d9fd089cabd).

Comment 5

[Fuzzing Team]

JSBugMon: Fix Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160504012947" and the hash "4f4c042c6d3a6d393b6b26f789fb087648a2cdcd".
The "bad" changeset has the timestamp "20160504014445" and the hash "ecc70bad825e8702f2ee171ae89392887753c21c".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4f4c042c6d3a6d393b6b26f789fb087648a2cdcd&tochange=ecc70bad825e8702f2ee171ae89392887753c21c

Comment 6

[Gary Kwong [:gkw] [:nth10sd]]

This issue is probably intermittent and comment 5 likely isn't accurate. Hannes, what do you think might be the issue here?

Comment 7

[Gary Kwong [:gkw] [:nth10sd]]

Hannes isn't likely to be active much going forward. Jan/Nicolas, what's next here?

Comment 8

[Jan de Mooij [:jandem]]

Attachment: Patch

The loop unrolling code (disabled by default) needs to handle OOM properly.

I can't reproduce this on tip so I didn't add the testcase.

Comment 9

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3f347989ea45
Make LoopUnroller code handle OOM correctly. r=nbp

Comment 10

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/3f347989ea45