1368582 - Assertion failure: !hasFlags(1 << InWorklist), at js/src/jit/MIR.h:734 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ebad93e11770 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off):

actual = '';
var f = function() {
  var p = 1;
  function g() {
    for (var assertEq = 0; i < 5; ++i)
      appendToActual(p);
  }
  g();
}
try {
  for (var i = 0; i < 5; ++i) f();
}catch(exc1) {}
var appendToActual = function(s) {
    actual += s + ',';
}
oomTest(function() {
    let m = parseModule("f(1)");
    m.declarationInstantiation();
    m.evaluation();
});



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000074bbc8 in js::jit::MDefinition::setInWorklist (this=<optimized out>) at js/src/jit/MIR.h:734
#0  0x000000000074bbc8 in js::jit::MDefinition::setInWorklist (this=<optimized out>) at js/src/jit/MIR.h:734
#1  js::jit::LRecoverInfo::appendDefinition (this=<optimized out>, def=0x7ffff3fed8a8) at js/src/jit/LIR.cpp:235
#2  0x000000000074bca4 in js::jit::LRecoverInfo::appendResumePoint (this=this@entry=0x7ffff4036cd8, rp=rp@entry=0x7ffff3feaed8) at js/src/jit/LIR.cpp:247
#3  0x000000000074bd1c in js::jit::LRecoverInfo::init (this=0x7ffff4036cd8, rp=0x7ffff3feaed8) at js/src/jit/LIR.cpp:267
#4  0x000000000074c088 in js::jit::LRecoverInfo::New (gen=<optimized out>, mir=0x7ffff3feaed8) at js/src/jit/LIR.cpp:203
#5  0x00000000008967cb in js::jit::LIRGeneratorShared::getRecoverInfo (this=0x7fffffffa790, rp=<optimized out>) at js/src/jit/shared/Lowering-shared.cpp:155
#6  0x000000000089846e in js::jit::LIRGeneratorShared::buildSnapshot (this=this@entry=0x7fffffffa790, ins=ins@entry=0x7ffff4036b00, rp=<optimized out>, kind=kind@entry=js::jit::Bailout_DuringVMCall) at js/src/jit/shared/Lowering-shared.cpp:244
#7  0x00000000008989cc in js::jit::LIRGeneratorShared::assignSafepoint (this=0x7fffffffa790, ins=0x7ffff4036b00, mir=0x7ffff3feb018, kind=js::jit::Bailout_DuringVMCall) at js/src/jit/shared/Lowering-shared.cpp:310
#8  0x000000000075f9cd in js::jit::LIRGenerator::visitConcat (this=0x7fffffffa790, ins=0x7ffff3feb018) at js/src/jit/Lowering.cpp:1972
#9  0x0000000000761c39 in js::jit::LIRGenerator::visitInstruction (this=this@entry=0x7fffffffa790, ins=ins@entry=0x7ffff3feb018) at js/src/jit/Lowering.cpp:4932
#10 0x000000000077ba5e in js::jit::LIRGenerator::visitInstruction (ins=0x7ffff3feb018, this=0x7fffffffa790) at js/src/ds/LifoAlloc.h:338
#11 js::jit::LIRGenerator::visitBlock (this=this@entry=0x7fffffffa790, block=block@entry=0x7ffff3fea530) at js/src/jit/Lowering.cpp:5014
#12 0x000000000077bdcb in js::jit::LIRGenerator::generate (this=this@entry=0x7fffffffa790) at js/src/jit/Lowering.cpp:5082
#13 0x00000000006ce18b in js::jit::GenerateLIR (mir=mir@entry=0x7ffff3fe61c0) at js/src/jit/Ion.cpp:1867
#14 0x0000000000700475 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff3fe61c0) at js/src/jit/Ion.cpp:1962
#15 0x0000000000433a9c in js::jit::IonCompile (cx=cx@entry=0x7ffff6924000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2247
#16 0x000000000070097b in js::jit::Compile (cx=cx@entry=0x7ffff6924000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2440
#17 0x0000000000700b18 in js::jit::CanEnter (cx=cx@entry=0x7ffff6924000, state=...) at js/src/jit/Ion.cpp:2537
#18 0x0000000000532c4a in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:386
#19 0x0000000000535951 in js::ExecuteKernel (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffbe88) at js/src/vm/Interpreter.cpp:699
#20 0x0000000000535d48 in js::Execute (cx=cx@entry=0x7ffff6924000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffbe88) at js/src/vm/Interpreter.cpp:732
#21 0x00000000005574f4 in js::ModuleObject::evaluate (cx=cx@entry=0x7ffff6924000, self=..., self@entry=..., rval=rval@entry=...) at js/src/builtin/ModuleObject.cpp:927
#22 0x0000000000bdcbd7 in intrinsic_EvaluateModule (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:2082
#23 0x00002d53d628fb74 in ?? ()
#24 0x00007ffff3e457e0 in ?? ()
#25 0x00007fffffffbe60 in ?? ()
#26 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff3fedc50	140737286954064
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffa330	140737488331568
rsp	0x7fffffffa310	140737488331536
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff4036cd8	140737287253208
r13	0x7ffff4358e80	140737290538624
r14	0x7ffff3feaed8	140737286942424
r15	0x7ffff3feaed8	140737286942424
rip	0x74bbc8 <js::jit::LRecoverInfo::appendDefinition(js::jit::MDefinition*)+152>
=> 0x74bbc8 <js::jit::LRecoverInfo::appendDefinition(js::jit::MDefinition*)+152>:	movl   $0x0,0x0
   0x74bbd3 <js::jit::LRecoverInfo::appendDefinition(js::jit::MDefinition*)+163>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, failed due to error (try manually).

Comment 2

[Jan de Mooij [:jandem]]

This is under visitConcat, could it be related to your MConcat patches?

Comment 3

[Nicolas B. Pierron [:nbp]]

A debug build should also assert by verifying if the InWorkList flag was accidentally left as set on the instruction.

Comment 4

[Ted Campbell [:tcampbell]]

This crash appears after Bug 1365782 introduced. Investigating.

I see I didn't correctly remove code when I disabled DCE, but the crash persists in the follow-up patch where I re-enable DCE.

Comment 5

[Ted Campbell [:tcampbell]]

The assertion is caused by having a snapshot and a safepoint share the same ResumePoint, but after code motion do not take advantage of |cachedRecoverInfo_| and recover info is generated twice. I need to revisit how we define MConcat in the MIR.

Comment 6

[Nicolas B. Pierron [:nbp]]

(In reply to Ted Campbell [:tcampbell] from comment #5)
> The assertion is caused by having a snapshot and a safepoint share the same
> ResumePoint, but after code motion do not take advantage of
> |cachedRecoverInfo_| and recover info is generated twice. I need to revisit
> how we define MConcat in the MIR.

Snapshots are made to handle failures before any computations made by the instruction.

Safepoints are made to reconstruct a (typed-) machine state, while we are under a call, needed for marking the stack and reconstructing the stack while handling exceptions.  Safepoints do not own any resume point, we happen to use them with the resume point of the OSIPoint which carry the bailout & snapshot associated to the resume point provided by the instruction.

Note, that assignSnapshot always use the lastResumePoint_, even if the current instructions provide one, as opposed to assignSafepoint.

http://searchfox.org/mozilla-central/source/js/src/jit/shared/Lowering-shared.cpp#294,309-310

Comment 7

[Ted Campbell [:tcampbell]]

Backing out Bug 1365782 to clear this issue for beta55. Patch needs to be rewritten.

Comment 8

[Ted Campbell [:tcampbell]]

Fixed by backout of Bug 1365782.