Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js
Categories
(Core :: Javascript: WebAssembly, defect)
Tracking
()
People
(Reporter: decoder, Assigned: jseward)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
744 bytes,
patch
|
jandem
:
feedback+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 3e0cf2f77f07 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
enableOsiPointRegisterChecks();
evalInWorker(`
function DiagModule(stdlib, foreign) {
"use asm";
function diag() {
while(1) {}
}
return {};
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::jit::CompileRuntime::mainContextPtr (this=0x0) at js/src/jit/CompileWrappers.cpp:70
#1 0x000055555637ddde in js::jit::MacroAssembler::loadJSContext (this=this@entry=0x7ffff68f9320, dest=dest@entry=...) at js/src/jit/MacroAssembler.cpp:1775
#2 0x00005555561108e2 in js::jit::MacroAssembler::loadJitActivation (dest=..., this=0x7ffff68f9320) at js/src/jit/MacroAssembler.h:2517
#3 js::jit::CodeGeneratorShared::resetOsiPointRegs (this=this@entry=0x7ffff68f9e00, safepoint=<optimized out>) at js/src/jit/shared/CodeGenerator-shared.cpp:1336
#4 0x0000555556220b8d in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff68f9e00) at js/src/jit/CodeGenerator.cpp:5998
#5 0x00005555562230b6 in js::jit::CodeGenerator::generateWasm (this=this@entry=0x7ffff68f9e00, funcTypeId=..., trapOffset=..., argTypes=..., trapExitLayout=..., trapExitLayoutNumWords=16, offsets=0x7ffff68f8d60, stackMaps=0x7ffff5fbcc50) at js/src/jit/CodeGenerator.cpp:10565
#6 0x00005555564b9b69 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff5fbc958, error=error@entry=0x0) at js/src/wasm/WasmIonCompile.cpp:4239
#7 0x00005555564bee8a in ExecuteCompileTask (task=0x7ffff5fbc6b8, error=0x0) at js/src/wasm/WasmGenerator.cpp:716
#8 0x00005555564bf8bc in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7ffff68faeb0) at js/src/wasm/WasmGenerator.cpp:755
#9 js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7ffff68faeb0) at js/src/wasm/WasmGenerator.cpp:882
#10 0x000055555648359f in ModuleValidator<char16_t>::finish (this=this@entry=0x7ffff68fc250) at js/src/wasm/AsmJS.cpp:2162
#11 0x0000555556444348 in CheckModule<char16_t> (cx=cx@entry=0x7ffff4dbe000, parser=..., stmtList=stmtList@entry=0x7ffff5f98260, time=time@entry=0x7ffff68fc734) at js/src/wasm/AsmJS.cpp:6415
#12 0x0000555556444bd2 in DoCompileAsmJS<char16_t> (validated=0x7ffff68fc7e7, stmtList=0x7ffff5f98260, parser=..., cx=0x7ffff4dbe000) at js/src/wasm/AsmJS.cpp:7085
#13 js::CompileAsmJS (cx=0x7ffff4dbe000, parser=..., stmtList=0x7ffff5f98260, validated=validated@entry=0x7ffff68fc7e7) at js/src/wasm/AsmJS.cpp:7123
#14 0x0000555555eb79de in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS (this=0x7ffff68fe080, list=<optimized out>) at js/src/frontend/Parser.cpp:3280
#15 0x0000555555efe8ee in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7ffff68fe080, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3448
#16 0x0000555555eff5b5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody (this=this@entry=0x7ffff68fe080, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::FunctionSyntaxKind::Statement, type=type@entry=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::StatementListBody) at js/src/frontend/Parser.cpp:1835
#17 0x0000555555effdd8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (this=this@entry=0x7ffff68fe080, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funNode=funNode@entry=0x7ffff68fca58, kind=kind@entry=js::frontend::FunctionSyntaxKind::Statement, parameterListEnd=..., isStandaloneFunction=false) at js/src/frontend/Parser.cpp:2992
#18 0x0000555555f00343 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunctionForFunctionBox (this=this@entry=0x7ffff68fe080, funNode=<optimized out>, funNode@entry=0x7ffff5f98060, outerpc=outerpc@entry=0x7ffff68fd360, funbox=funbox@entry=0x7ffff5f98130, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, newDirectives=0x7ffff68fcff8) at js/src/frontend/Parser.cpp:2758
#19 0x0000555555f004a6 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunction (this=this@entry=0x7ffff68fe080, funNode=0x7ffff5f98060, outerpc=0x7ffff68fd360, fun=..., toStringStart=toStringStart@entry=1, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false, inheritedDirectives=..., newDirectives=0x7ffff68fcff8) at js/src/frontend/Parser.cpp:2792
#20 0x0000555555f005b0 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (this=this@entry=0x7ffff68fe080, funNode=funNode@entry=0x7ffff68fcfe8, fun=..., fun@entry=..., toStringStart=toStringStart@entry=1, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false, inheritedDirectives=..., newDirectives=0x7ffff68fcff8) at js/src/frontend/Parser.cpp:2702
#21 0x0000555555f00be3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (newDirectives=0x7ffff68fcff8, inheritedDirectives=..., tryAnnexB=<optimized out>, asyncKind=js::FunctionAsyncKind::SyncFunction, generatorKind=js::GeneratorKind::NotGenerator, kind=js::frontend::FunctionSyntaxKind::Statement, yieldHandling=js::frontend::YieldIsName, inHandling=js::frontend::InAllowed, toStringStart=1, fun=..., funNode=0x7ffff68fcfe8, this=0x7ffff68fe080) at js/src/frontend/Parser.cpp:2738
#22 js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionDefinition (this=this@entry=0x7ffff68fe080, funNode=<optimized out>, toStringStart=toStringStart@entry=1, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false) at js/src/frontend/Parser.cpp:2593
#23 0x0000555555f01124 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionStmt (this=this@entry=0x7ffff68fe080, toStringStart=1, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired, asyncKind=asyncKind@entry=js::FunctionAsyncKind::SyncFunction) at js/src/frontend/Parser.cpp:3166
#24 0x0000555555efe3d1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=this@entry=0x7ffff68fe080, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7761
#25 0x0000555555efe78c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=this@entry=0x7ffff68fe080, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3426
#26 0x0000555555f0fe8a in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7ffff68fe080, globalsc=globalsc@entry=0x7ffff68fe6b0) at js/src/frontend/Parser.cpp:1420
#27 0x0000555555f40470 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7ffff68fdb70, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7ffff68fe6b0) at js/src/frontend/BytecodeCompiler.cpp:538
#28 0x0000555555f331d4 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
#29 0x0000555555f3337a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:219
#30 0x0000555555a0cd75 in CompileSourceBuffer<char16_t> (cx=0x7ffff4dbe000, options=..., srcBuf=..., script=...) at js/src/vm/CompilationAndEvaluation.cpp:70
#31 0x00005555558637de in WorkerMain (input=<optimized out>) at js/src/shell/js.cpp:4024
[...]
#35 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x7ffff68f8d80 140737329991040
rbx 0x7ffff68f9320 140737329992480
rcx 0x50 80
rdx 0x6 6
rsi 0x0 0
rdi 0x0 0
rbp 0x7ffff68f87a0 140737329989536
rsp 0x7ffff68f8770 140737329989488
r8 0x0 0
r9 0x0 0
r10 0x7ffff5fbe540 140737320314176
r11 0x1 1
r12 0x0 0
r13 0x7ffff5fbe620 140737320314400
r14 0x2 2
r15 0x7ffff68f9e00 140737329995264
rip 0x5555561deb61 <js::jit::CompileRuntime::mainContextPtr()+1>
=> 0x5555561deb61 <js::jit::CompileRuntime::mainContextPtr()+1>: mov 0xa0(%rdi),%rax
0x5555561deb68 <js::jit::CompileRuntime::mainContextPtr()+8>: mov %rsp,%rbp
Marking s-s because the crash addresses for this issue vary. Also, this issue is currently happening with high frequency, marking as fuzzblocker.
|
||
Comment 1•2 years ago
|
||
Question is why we call into resetOsiPointRegs when compiling asm.js/wasm. It looks like maybe we have safepoints now as part of the GC work?
We could probably disable that code if we're compiling wasm, because bailouts/callVM are very Ion specific.
|
Assignee | |
Comment 3•2 years ago
|
||
My initial reaction is that something is running across wasm safepoints
as created by LIRGeneratorShared::assignWasmSafepoint:
https://searchfox.org/mozilla-central/source/js/src/jit/shared/Lowering-shared.cpp#291
These lack an osiPoint_ field (I assume it remains null) and I'd guess
that the call from CodeGenerator::generateBody() to resetOsiPointRegs()
causes the latter to deref that null pointer.
|
|
Assignee | |
Comment 4•2 years ago
|
||
[..] wasm safepoints as created by LIRGeneratorShared::assignWasmSafepoint:
[..] These lack an osiPoint_ field (I assume it remains null) [..]
Hmm, LSafepoint doesn't have osiPoint_. Red herring, perhaps. Somehow
I feel like it's related, though.
|
|
||
Comment 5•2 years ago
|
||
According to the stack trace in comment 0 we have a nullptr CompileRuntime* in the JitContext. That makes sense for Wasm compilation I think.
|
|
Assignee | |
Comment 6•2 years ago
|
||
Based on Jan's comment 5, this at least stops the test case crashing.
Jan, does this seem like a plausible fix?
|
||
Comment 7•2 years ago
|
||
Is this just a null pointer crash in debug builds? Can we unhide this?
|
||
Comment 8•2 years ago
|
||
What is #ifdef CHECK_OSIPOINT_REGISTERS ? looks like that's only in debug, so this isn't a runtime fix?
|
|
||
Comment 9•2 years ago
|
||
Yes we can open this up.
|
|
||
Comment 10•2 years ago
|
||
Comment on attachment 9049233 [details] [diff] [review] patch Review of attachment 9049233 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/CodeGenerator.cpp @@ +5993,5 @@ > blockCounts->visitInstruction(*iter); > } > > #ifdef CHECK_OSIPOINT_REGISTERS > + if (iter->safepoint() && GetJitContext()->runtime) { You could use IsCompilingWasm() here (defined only in debug but so is this code).
|
|
Assignee | |
Comment 11•2 years ago
|
||
Baldr: in CodeGenerator::generateBody, don't call resetOsiPointRegs on
safepoints associated with Wasm code.
|
||
Comment 12•2 years ago
|
||
Pushed by jseward@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0a14e20db6a1 Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js. r=jandem.
|
||
Comment 13•2 years ago
•
|
||
Backed out changeset 0a14e20db6a1 (bug 1533204) for spidermonkey failures at /regress/bug1533204.js on a CLOSED TREE.
Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/85952c9c8c02e28de331622831432ef3c0f0d66a
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&resultStatus=testfailed%2Cbusted%2Cexception&selectedJob=233077512&revision=0a14e20db6a15ec557afd2d8e50b1cb30f468ca6
Log snippet:
[task 2019-03-11T11:51:58.462Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--wasm-compiler=ion") [0.1 s]
[task 2019-03-11T11:51:58.468Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--no-baseline --no-ion --more-compartments") [0.1 s]
[task 2019-03-11T11:51:58.472Z] /builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1 Error: Can't create threads with --no-threads
[task 2019-03-11T11:51:58.472Z] Stack:
[task 2019-03-11T11:51:58.472Z] @/builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1
[task 2019-03-11T11:51:58.472Z] Exit code: 3
[task 2019-03-11T11:51:58.472Z] FAIL - wasm/regress/bug1533204.js
[task 2019-03-11T11:51:58.472Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/wasm/regress/bug1533204.js | /builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1 Error: Can't create threads with --no-threads (code 3, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.1 s]
[task 2019-03-11T11:51:58.473Z] INFO exit-status : 3
[task 2019-03-11T11:51:58.473Z] INFO timed-out : False
[task 2019-03-11T11:51:58.473Z] INFO stderr 2> /builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1 Error: Can't create threads with --no-threads
[task 2019-03-11T11:51:58.473Z] INFO stderr 2> Stack:
[task 2019-03-11T11:51:58.473Z] INFO stderr 2> @/builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1
[task 2019-03-11T11:51:58.477Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--baseline-eager") [0.1 s]
[task 2019-03-11T11:51:58.481Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.1 s]
[task 2019-03-11T11:51:58.501Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--wasm-compiler=baseline") [0.0 s]
[task 2019-03-11T11:51:58.517Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/builtin-import-sigs.js | Success (code 0, args "") [0.1 s]
|
|
Assignee | |
Comment 14•2 years ago
|
||
Ach, my bad. I committed the wrong version of the patch. Sorry!
|
|
||
Comment 15•2 years ago
|
||
Pushed by jseward@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0dd9653849e2 Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js. r=jandem.
|
||
Comment 16•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•