Differential Testing: Different output message involving 32-bit ARM simulator and --arm-hwcap=vfp
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
People
(Reporter: gkw, Assigned: wingo)
References
Details
(Keywords: testcase)
Attachments
(2 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
6.93 KB,
patch
|
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
function f(x, y) {
return (y ? 1 : x | 0) && x / 1;
}
x = [[], 1];
for (var j = 0; j < 2; ++j) {
for (var k = 0; k < 3; ++k) {
print(f(x[j], x[k]));
}
}
$ ./js-32-dm-armSim-linux-f039f8426b5f --fuzzing-safe --no-threads --ion-eager testcase.js
0
0
0
1
1
1
$ ./js-32-dm-armSim-linux-f039f8426b5f --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp testcase.js
0
0
0
1
1
0
Tested this on m-c rev f039f8426b5f.
My configure flags are:
PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="gcc -m32 -msse2 -mfpmath=sse"' 'CXX="g++ -m32 -msse2 -mfpmath=sse"' AR=ar sh /home/ubuntu/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-simulator=arm --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-cranelift --disable-tests
python3 -u -m funfuzz.js.compile_shell -b "--32 --enable-more-deterministic --enable-simulator=arm" -r f039f8426b5f
Trying to get a bisection result...
Reporter | ||
Comment 1•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d5c22661c860
user: Robin Templeton
date: Tue Sep 18 04:04:53 2018 +0000
summary: bug 1490387 - Part 3: Implement BigInt support for bitwise operators. r=jandem
Jan, is bug 1490387 a likely regressor?
Comment 2•5 years ago
|
||
Soapbox: --arm-hwcap=vfp is probably unsupported, as that is an ARMv6 device with floating point and ARMv6 is not supported.
See https://searchfox.org/mozilla-central/source/js/src/jit/arm/Architecture-arm.cpp#51 et seq.
In the past I've argued that we should just error out or print prominent warnings for unsupported / nonsensical device specs. --arm-hwcap is a sharp tool and many combinations of features do not make sense.
(Not to say a bug wasn't found here but then it should also be visible with a more reasonable set of flags.)
Reporter | ||
Comment 3•5 years ago
|
||
That flag is still in fuzz-flags.txt in case anyone wonders:
https://hg.mozilla.org/mozilla-central/annotate/14defbde23a6/js/src/shell/fuzz-flags.txt#l67
Comment 4•5 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
That flag is still in fuzz-flags.txt in case anyone wonders:
https://hg.mozilla.org/mozilla-central/annotate/14defbde23a6/js/src/shell/fuzz-flags.txt#l67
Mkay. Should be possible to cook up a more interesting list of flag combinations there based on what we consider tier-1 hardware...
Comment 5•5 years ago
|
||
Robin, can you take a look at this? See also comment 2, but just in case there's an actual/unrelated bug here.
Comment 6•5 years ago
|
||
i can reproduce this locally, but i don't know yet what's causing the incorrect output
the testcase appears to work with --arm-hwcap=idiva and fails with any other --arm-hwcap flag
IONFLAGS=all output looks similar for --arm-hwcap=idiva and --arm-hwcap=vfp except for additional "pools" log entries with vfp:
[Codegen] emitGuardIsInt32
[Codegen] emitGuardIsInt32
[Codegen] emitInt32DivResult
+[Pools] [0] Inserting 1 entries into pool
+[Pools] [0] data is: 0xf63c8aa4
+[Pools] [0] Entry has index 0, offset 120
[Codegen] emitReturnFromIC
Comment 7•5 years ago
|
||
Hm, something is wonky with Ion type analysis here. Consider that the original loop is actually this (note the update to the array):
x = [[], 1, undefined];
for (var j = 0; j < 2; ++j) {
for (var k = 0; k < 3; ++k) {
print(f(x[j], x[k]));
}
}
and this has the same result as Gary reported. But if one expands that loop nest like this:
print(f([], []));
print(f([], 1));
print(f([], undefined));
print(f(1, []));
print(f(1, 1));
print(f(1, undefined));
then the error does not occur.
(:lth stops playing around with the JIT and goes back to what he's supposed to be doing.)
Comment 8•5 years ago
|
||
running the shell with --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp
produces incorrect output, but adding any combination of the following flags prevents the error: --cache-ir-stubs=off
, --cache-ir-stubs=nobinary
, --ion-inlining=off
, --ion-osr=off
, --ion-regalloc=stupid
Comment 9•5 years ago
|
||
additional test cases that print incorrect output with shell options --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp
:
z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x|0))&&(x/1))(z[j],z[k]));}}
z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x&1))&&(x/1))(z[j],z[k]));}}
z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x>>0))&&(x/1))(z[j],z[k]));}}
z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x<<0))&&(x/1))(z[j],z[k]));}}
z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x>>>0))&&(x/1))(z[j],z[k]));}}
z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x**1))&&(x/1))(z[j],z[k]));}}
Assignee | ||
Comment 10•5 years ago
|
||
Robin just noted that the following change to register allocation fixes the symptoms for these tests: https://hg.mozilla.org/try/diff/6c1550a4ae06/js/src/jit/CacheIRCompiler.cpp. But I speculate that the workaround doesn't fix the fundamental cause, and in any case I don't think it works for arches with hard-coded output registers for division.
I suspect that the change above "works" by decreasing register pressure and preventing creation of the constant pool, which seems necessary to trigger the bug.
Incidentally the original patch probably increases register pressure (and possibly constant pool creation) by adding the additional MIRType::Value case for the bitwise op result types, which will result in more box/unbox ops, more live values, and thus perhaps triggering the bug in the same way.
Could something about the VFP support in the simulator have always always been buggy in some way, with this change just making it show? E.g. perhaps the simulator+vfp clobbers more registers in an "sdiv" than it should have been doing? But is it possible for that to be the case?
Surely an Ion type analysis bug is more likely, given the nature of the patch. I will also take a look at this this week.
Comment 11•5 years ago
|
||
another possibly related commit found by git bisect for a test case using exponentiation: mozilla-central changeset 5b25886cfb64 (which added a cacheir operation for int32 division)
$ ./js --fuzzing-safe --ion-eager --no-threads -e 'z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x**1))&&(x/1))(z[j],z[k]));}}'
0
0
0
1
1
1
$ ./js --fuzzing-safe --ion-eager --no-threads --arm-hwcap=vfp -e 'z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x**1))&&(x/1))(z[j],z[k]));}}'
0
0
0
1
1
0
configure flags: --target=i686-pc-linux --enable-simulator=arm --enable-more-deterministic --enable-debug --disable-optimize --disable-tests --enable-ccache
Reporter | ||
Comment 12•5 years ago
|
||
That's pointing to a commit by Matthew -> setting needinfo? from him.
Comment 13•5 years ago
|
||
I just want to toss out Bug 1519077 as being potentially related, though all I have done so far is read the comments.
The specific thing that makes me think this is the Try'd patch in Comment 10; Bug 1519077 is addressing the fact that we can clobber input registers, which is a problem in a fallible IC if we need to reset the state.
I'll take a closer look at this later to see, and try the patch as well. Leaving ni? to make sure I do it.
Comment 14•5 years ago
|
||
Ok, so the patch attached to Bug 1519077 does not resolve the differences in Comment 11 in my local testing.
This does feel more like an issue with the CacheIR stubs than an Ion type analysis Bug IMO. My gut (and a bit of printf debugging to make sure I'm on the right arm of the branch) says the bug should be in here: https://searchfox.org/mozilla-central/rev/9eb30227b21e0aa40d51d9f9b08bb0b113c5fadb/js/src/jit/arm/MacroAssembler-arm.cpp#5707-5728
The printf gives me this:
./dist/bin/js --arm-hwcap=vfp --fuzzing-safe --ion-eager --no-threads -e 'z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x**1))&&(x/1))(z[j],z[k]));}}'
0
0
0
(noidiv) rhs: r1, lhsOutput r2, remOutput r10
1
(noidiv) rhs: r5, lhsOutput r2, remOutput r0
1
0
(It's perhaps notable that register assignment is the same without arm-hwcap=vfp, except we'll use the other branch of the if-else there).
I'm at EOD here, so dumping this info lest someone else get a chance to look at this before I do.
Assignee | ||
Comment 15•5 years ago
|
||
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #14)
Ok, so the patch attached to Bug 1519077 does not resolve the differences in Comment 11 in my local testing.
This does feel more like an issue with the CacheIR stubs than an Ion type analysis Bug IMO. My gut (and a bit of printf debugging to make sure I'm on the right arm of the branch) says the bug should be in here: https://searchfox.org/mozilla-central/rev/9eb30227b21e0aa40d51d9f9b08bb0b113c5fadb/js/src/jit/arm/MacroAssembler-arm.cpp#5707-5728
The printf gives me this:
./dist/bin/js --arm-hwcap=vfp --fuzzing-safe --ion-eager --no-threads -e 'z=[[],1];for(var j=0;j<2;++j){for(var k=0;k<3;++k){print(((x, y) => (y?1:(x**1))&&(x/1))(z[j],z[k]));}}' 0 0 0 (noidiv) rhs: r1, lhsOutput r2, remOutput r10 1 (noidiv) rhs: r5, lhsOutput r2, remOutput r0 1 0
Excellent sleuthing!!
Specifically I think it's here:
https://searchfox.org/mozilla-central/rev/9eb30227b21e0aa40d51d9f9b08bb0b113c5fadb/js/src/jit/arm/MacroAssembler-arm.cpp#5722
If remOutput is r0, then that's the same as RegisterOutputVal0; but the code does this:
mov(ReturnRegVal1, remOutput);
mov(ReturnRegVal0, lhsOutput);
which is
mov(r1, r0);
mov(r0, lhsOutput);
I.e. the shuffle clobbers one of the return registers.
Assignee | ||
Comment 16•5 years ago
|
||
I'll see what I can do to poke the MoveResolver into submission.
Assignee | ||
Comment 17•5 years ago
|
||
Assignee | ||
Comment 18•5 years ago
|
||
Clearing needinfo? from mgaudet; review is welcome though!
Comment 19•5 years ago
|
||
Hah -- I came in here to drop a link to the ScopedMoveResolution as a possible solution. I think I might like yours better tho!
Only halfway into my first cup of coffee, so I'll refrain from reviewing in more detail just yet.
Assignee | ||
Comment 20•5 years ago
|
||
Bug seems to originate in https://bugzilla.mozilla.org/show_bug.cgi?id=1438727, which first appeared in FF63. Probably we will want to backport to FF66 and F65.
Reporter | ||
Updated•5 years ago
|
Assignee | ||
Comment 21•5 years ago
|
||
Set checkin-needed for ff67 but I don't know what's needed for ff65 / ff66, can someone take care of that please? Tx in advance :)
Comment 22•5 years ago
|
||
Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c9f9e4c965cf
Fix shuffling of two-valued return on ARM r=jandem
Updated•5 years ago
|
Comment 23•5 years ago
|
||
bugherder |
Comment 24•5 years ago
|
||
ni? myself to remind me to prepare backport patches and request approval.
Comment 25•5 years ago
|
||
Beta/Release Uplift Approval Request
Feature/Bug causing the regression
User impact if declined
Potential wrong output or crashes
Is this code covered by automated tests?
Yes
Has the fix been verified in Nightly?
Yes
Needs manual test from QE?
No
If yes, steps to reproduce
List of other uplifts needed
None
Risk to taking this patch
Low
Why is the change risky/not risky? (and alternatives if risky)
Change has been tested on nightly, and simplifies handling of an edge case, while correcting an error.
String changes made/needed
None
Comment 26•5 years ago
|
||
Note, the landed rev c9f9e4c965cf grafts cleanly onto beta and release; uploaded the patch mostly to get access to the beta form.
I haven't requested release approval because I don't think this patch hits the bar for a release backport, however, I do note that it will graft cleanly onto release so we can do that easily if desired.
Comment 27•5 years ago
|
||
Comment on attachment 9042966 [details] [diff] [review] Bug1523515.beta.patch Fix for potential crashes (found by fuzzing). Let's uplift for beta 8.
Comment 28•5 years ago
|
||
bugherder uplift |
Updated•5 years ago
|
Description
•