1533204 - Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js

Status: RESOLVED FIXED

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 3e0cf2f77f07 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

enableOsiPointRegisterChecks();
evalInWorker(`
function DiagModule(stdlib, foreign) {
    "use asm";
    function diag() {
        while(1) {}
    }
    return {};
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::jit::CompileRuntime::mainContextPtr (this=0x0) at js/src/jit/CompileWrappers.cpp:70
#1  0x000055555637ddde in js::jit::MacroAssembler::loadJSContext (this=this@entry=0x7ffff68f9320, dest=dest@entry=...) at js/src/jit/MacroAssembler.cpp:1775
#2  0x00005555561108e2 in js::jit::MacroAssembler::loadJitActivation (dest=..., this=0x7ffff68f9320) at js/src/jit/MacroAssembler.h:2517
#3  js::jit::CodeGeneratorShared::resetOsiPointRegs (this=this@entry=0x7ffff68f9e00, safepoint=<optimized out>) at js/src/jit/shared/CodeGenerator-shared.cpp:1336
#4  0x0000555556220b8d in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff68f9e00) at js/src/jit/CodeGenerator.cpp:5998
#5  0x00005555562230b6 in js::jit::CodeGenerator::generateWasm (this=this@entry=0x7ffff68f9e00, funcTypeId=..., trapOffset=..., argTypes=..., trapExitLayout=..., trapExitLayoutNumWords=16, offsets=0x7ffff68f8d60, stackMaps=0x7ffff5fbcc50) at js/src/jit/CodeGenerator.cpp:10565
#6  0x00005555564b9b69 in js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff5fbc958, error=error@entry=0x0) at js/src/wasm/WasmIonCompile.cpp:4239
#7  0x00005555564bee8a in ExecuteCompileTask (task=0x7ffff5fbc6b8, error=0x0) at js/src/wasm/WasmGenerator.cpp:716
#8  0x00005555564bf8bc in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7ffff68faeb0) at js/src/wasm/WasmGenerator.cpp:755
#9  js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7ffff68faeb0) at js/src/wasm/WasmGenerator.cpp:882
#10 0x000055555648359f in ModuleValidator<char16_t>::finish (this=this@entry=0x7ffff68fc250) at js/src/wasm/AsmJS.cpp:2162
#11 0x0000555556444348 in CheckModule<char16_t> (cx=cx@entry=0x7ffff4dbe000, parser=..., stmtList=stmtList@entry=0x7ffff5f98260, time=time@entry=0x7ffff68fc734) at js/src/wasm/AsmJS.cpp:6415
#12 0x0000555556444bd2 in DoCompileAsmJS<char16_t> (validated=0x7ffff68fc7e7, stmtList=0x7ffff5f98260, parser=..., cx=0x7ffff4dbe000) at js/src/wasm/AsmJS.cpp:7085
#13 js::CompileAsmJS (cx=0x7ffff4dbe000, parser=..., stmtList=0x7ffff5f98260, validated=validated@entry=0x7ffff68fc7e7) at js/src/wasm/AsmJS.cpp:7123
#14 0x0000555555eb79de in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS (this=0x7ffff68fe080, list=<optimized out>) at js/src/frontend/Parser.cpp:3280
#15 0x0000555555efe8ee in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7ffff68fe080, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3448
#16 0x0000555555eff5b5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody (this=this@entry=0x7ffff68fe080, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::FunctionSyntaxKind::Statement, type=type@entry=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::StatementListBody) at js/src/frontend/Parser.cpp:1835
#17 0x0000555555effdd8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (this=this@entry=0x7ffff68fe080, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funNode=funNode@entry=0x7ffff68fca58, kind=kind@entry=js::frontend::FunctionSyntaxKind::Statement, parameterListEnd=..., isStandaloneFunction=false) at js/src/frontend/Parser.cpp:2992
#18 0x0000555555f00343 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunctionForFunctionBox (this=this@entry=0x7ffff68fe080, funNode=<optimized out>, funNode@entry=0x7ffff5f98060, outerpc=outerpc@entry=0x7ffff68fd360, funbox=funbox@entry=0x7ffff5f98130, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, newDirectives=0x7ffff68fcff8) at js/src/frontend/Parser.cpp:2758
#19 0x0000555555f004a6 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunction (this=this@entry=0x7ffff68fe080, funNode=0x7ffff5f98060, outerpc=0x7ffff68fd360, fun=..., toStringStart=toStringStart@entry=1, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false, inheritedDirectives=..., newDirectives=0x7ffff68fcff8) at js/src/frontend/Parser.cpp:2792
#20 0x0000555555f005b0 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (this=this@entry=0x7ffff68fe080, funNode=funNode@entry=0x7ffff68fcfe8, fun=..., fun@entry=..., toStringStart=toStringStart@entry=1, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false, inheritedDirectives=..., newDirectives=0x7ffff68fcff8) at js/src/frontend/Parser.cpp:2702
#21 0x0000555555f00be3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (newDirectives=0x7ffff68fcff8, inheritedDirectives=..., tryAnnexB=<optimized out>, asyncKind=js::FunctionAsyncKind::SyncFunction, generatorKind=js::GeneratorKind::NotGenerator, kind=js::frontend::FunctionSyntaxKind::Statement, yieldHandling=js::frontend::YieldIsName, inHandling=js::frontend::InAllowed, toStringStart=1, fun=..., funNode=0x7ffff68fcfe8, this=0x7ffff68fe080) at js/src/frontend/Parser.cpp:2738
#22 js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionDefinition (this=this@entry=0x7ffff68fe080, funNode=<optimized out>, toStringStart=toStringStart@entry=1, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=js::frontend::FunctionSyntaxKind::Statement, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false) at js/src/frontend/Parser.cpp:2593
#23 0x0000555555f01124 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionStmt (this=this@entry=0x7ffff68fe080, toStringStart=1, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired, asyncKind=asyncKind@entry=js::FunctionAsyncKind::SyncFunction) at js/src/frontend/Parser.cpp:3166
#24 0x0000555555efe3d1 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=this@entry=0x7ffff68fe080, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7761
#25 0x0000555555efe78c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=this@entry=0x7ffff68fe080, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3426
#26 0x0000555555f0fe8a in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7ffff68fe080, globalsc=globalsc@entry=0x7ffff68fe6b0) at js/src/frontend/Parser.cpp:1420
#27 0x0000555555f40470 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7ffff68fdb70, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7ffff68fe6b0) at js/src/frontend/BytecodeCompiler.cpp:538
#28 0x0000555555f331d4 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:207
#29 0x0000555555f3337a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:219
#30 0x0000555555a0cd75 in CompileSourceBuffer<char16_t> (cx=0x7ffff4dbe000, options=..., srcBuf=..., script=...) at js/src/vm/CompilationAndEvaluation.cpp:70
#31 0x00005555558637de in WorkerMain (input=<optimized out>) at js/src/shell/js.cpp:4024
[...]
#35 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x7ffff68f8d80	140737329991040
rbx	0x7ffff68f9320	140737329992480
rcx	0x50	80
rdx	0x6	6
rsi	0x0	0
rdi	0x0	0
rbp	0x7ffff68f87a0	140737329989536
rsp	0x7ffff68f8770	140737329989488
r8	0x0	0
r9	0x0	0
r10	0x7ffff5fbe540	140737320314176
r11	0x1	1
r12	0x0	0
r13	0x7ffff5fbe620	140737320314400
r14	0x2	2
r15	0x7ffff68f9e00	140737329995264
rip	0x5555561deb61 <js::jit::CompileRuntime::mainContextPtr()+1>
=> 0x5555561deb61 <js::jit::CompileRuntime::mainContextPtr()+1>:	mov    0xa0(%rdi),%rax
   0x5555561deb68 <js::jit::CompileRuntime::mainContextPtr()+8>:	mov    %rsp,%rbp

Marking s-s because the crash addresses for this issue vary. Also, this issue is currently happening with high frequency, marking as fuzzblocker.

Comment 1

[Jan de Mooij [:jandem]]

Question is why we call into resetOsiPointRegs when compiling asm.js/wasm. It looks like maybe we have safepoints now as part of the GC work?

https://searchfox.org/mozilla-central/rev/fbb251448feb7276f9b1d0a88f9c0cb1cd144ce4/js/src/jit/CodeGenerator.cpp#5997-5999

We could probably disable that code if we're compiling wasm, because bailouts/callVM are very Ion specific.

Comment 2

[Lars T Hansen [:lth]]

Julian, thoughts?

Comment 3

[Julian Seward [:jseward]]

My initial reaction is that something is running across wasm safepoints
as created by LIRGeneratorShared::assignWasmSafepoint:

https://searchfox.org/mozilla-central/source/js/src/jit/shared/Lowering-shared.cpp#291

These lack an osiPoint_ field (I assume it remains null) and I'd guess
that the call from CodeGenerator::generateBody() to resetOsiPointRegs()
causes the latter to deref that null pointer.

Comment 4

[Julian Seward [:jseward]]

[..] wasm safepoints as created by LIRGeneratorShared::assignWasmSafepoint:
[..] These lack an osiPoint_ field (I assume it remains null) [..]

Hmm, LSafepoint doesn't have osiPoint_. Red herring, perhaps. Somehow
I feel like it's related, though.

Comment 5

[Jan de Mooij [:jandem]]

According to the stack trace in comment 0 we have a nullptr CompileRuntime* in the JitContext. That makes sense for Wasm compilation I think.

Comment 6

[Julian Seward [:jseward]]

Attachment: patch

Based on Jan's comment 5, this at least stops the test case crashing.
Jan, does this seem like a plausible fix?

Comment 7

[Andrew McCreight [:mccr8]]

Is this just a null pointer crash in debug builds? Can we unhide this?

Comment 8

[Daniel Veditz [:dveditz]]

What is #ifdef CHECK_OSIPOINT_REGISTERS ? looks like that's only in debug, so this isn't a runtime fix?

Comment 9

[Jan de Mooij [:jandem]]

Yes we can open this up.

Comment 10

[Jan de Mooij [:jandem]]

Comment on attachment 9049233 [details] [diff] [review]
patch

Review of attachment 9049233 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/CodeGenerator.cpp
@@ +5993,5 @@
>          blockCounts->visitInstruction(*iter);
>        }
>  
>  #ifdef CHECK_OSIPOINT_REGISTERS
> +      if (iter->safepoint() && GetJitContext()->runtime) {

You could use IsCompilingWasm() here (defined only in debug but so is this code).

Comment 11

[Julian Seward [:jseward]]

Attachment: Bug 1533204 - Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js.

Baldr: in CodeGenerator::generateBody, don't call resetOsiPointRegs on
safepoints associated with Wasm code.

Comment 12

[Pulsebot]

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0a14e20db6a1
Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js.  r=jandem.

Comment 13

[Raul Gurzau (:RaulGurzau)]

Backed out changeset 0a14e20db6a1 (bug 1533204) for spidermonkey failures at /regress/bug1533204.js on a CLOSED TREE.

Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/85952c9c8c02e28de331622831432ef3c0f0d66a

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&resultStatus=testfailed%2Cbusted%2Cexception&selectedJob=233077512&revision=0a14e20db6a15ec557afd2d8e50b1cb30f468ca6

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=233077512&repo=mozilla-inbound&lineNumber=154560

Log snippet:

[task 2019-03-11T11:51:58.462Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--wasm-compiler=ion") [0.1 s]
[task 2019-03-11T11:51:58.468Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--no-baseline --no-ion --more-compartments") [0.1 s]
[task 2019-03-11T11:51:58.472Z] /builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1 Error: Can't create threads with --no-threads
[task 2019-03-11T11:51:58.472Z] Stack:
[task 2019-03-11T11:51:58.472Z] @/builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1
[task 2019-03-11T11:51:58.472Z] Exit code: 3
[task 2019-03-11T11:51:58.472Z] FAIL - wasm/regress/bug1533204.js
[task 2019-03-11T11:51:58.472Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/wasm/regress/bug1533204.js | /builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1 Error: Can't create threads with --no-threads (code 3, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.1 s]
[task 2019-03-11T11:51:58.473Z] INFO exit-status : 3
[task 2019-03-11T11:51:58.473Z] INFO timed-out : False
[task 2019-03-11T11:51:58.473Z] INFO stderr 2> /builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1 Error: Can't create threads with --no-threads
[task 2019-03-11T11:51:58.473Z] INFO stderr 2> Stack:
[task 2019-03-11T11:51:58.473Z] INFO stderr 2> @/builds/worker/workspace/sm-package/mozjs-67.0a1.0/js/src/jit-test/tests/wasm/regress/bug1533204.js:2:1
[task 2019-03-11T11:51:58.477Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--baseline-eager") [0.1 s]
[task 2019-03-11T11:51:58.481Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.1 s]
[task 2019-03-11T11:51:58.501Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/bug1533204.js | Success (code 0, args "--wasm-compiler=baseline") [0.0 s]
[task 2019-03-11T11:51:58.517Z] TEST-PASS | js/src/jit-test/tests/wasm/regress/builtin-import-sigs.js | Success (code 0, args "") [0.1 s]

Comment 14

[Julian Seward [:jseward]]

Ach, my bad. I committed the wrong version of the patch. Sorry!

Comment 15

[Pulsebot]

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0dd9653849e2
Crash [@ js::jit::CompileRuntime::mainContextPtr] with asm.js.  r=jandem.

Comment 16

[Oana Pop-Rus]

https://hg.mozilla.org/mozilla-central/rev/0dd9653849e2