1567327 - Assertion failure: !used(), at js/src/jit/Label.h:86 with Baseline Interpreter

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 0b014ee5cd51 (build with --enable-debug --enable-simulator=arm64, run with --fuzzing-safe --wasm-compiler=ion --test-wasm-await-tier2 --no-sse4 --ion-optimization-levels=off --ion-full-warmup-threshold=1500 --ion-instruction-reordering=on --ion-warmup-threshold=0 --ion-check-range-analysis --ion-range-analysis=off --ion-edgecase-analysis=on --ion-osr=off --ion-gvn=off --blinterp --blinterp-eager --more-compartments --no-streams --spectre-mitigations=on --gc-zeal=25,378):

See attachment.

Backtrace:

#0  js::jit::Label::~Label (this=<optimized out>) at js/src/jit/Label.h:86
#1  js::jit::BaselineCodeGen<js::jit::BaselineInterpreterHandler>::emitDebugInstrumentation<js::jit::BaselineCodeGen<js::jit::BaselineInterpreterHandler>::emit_JSOP_RECREATELEXICALENV()::{lambda()#1}, js::jit::BaselineCodeGen<js::jit::BaselineInterpreterHandler>::emit_JSOP_RECREATELEXICALENV()::{lambda()#2}>(js::jit::BaselineCodeGen<js::jit::BaselineInterpreterHandler>::emit_JSOP_RECREATELEXICALENV()::{lambda()#1} const&, mozilla::Maybe<js::jit::BaselineCodeGen<js::jit::BaselineInterpreterHandler>::emit_JSOP_RECREATELEXICALENV()::{lambda()#2}> const&) (this=0x7fa1b78ac5d8, ifDebuggee=..., ifNotDebuggee=...) at js/src/jit/BaselineCompiler.cpp:4983
/snip

For detailed crash information, see attachment.

This is very hard to reproduce and to reduce, most of the time other Assertion failures involving [unhandlable oom] pop up instead. (Be sure to set the top of the testcase to your m-c repo dir) This likely happened after turning on fuzzing Baseline Interpreter, so setting needinfo? from Jan as a start.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Testcase

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Another stack

Another stack with a 32-bit debug deterministic shell build, was run with --fuzzing-safe --wasm-compiler=ion --no-asmjs --ion-full-warmup-threshold=100 --ion-extra-checks --ion-warmup-threshold=0 --ion-range-analysis=off --ion-inlining=off --blinterp --blinterp-eager --blinterp-warmup-threshold=0 --more-compartments --cpu-count=29 --gc-zeal=7,332 --no-native-regexp on m-c rev ca1dbd076e1e

Comment 4

[Jan de Mooij [:jandem]]

Harmless OOM bug. I'll hold off on this a bit so I can fix it on top of some in-flight patches. Basically in BaselineCodeGen.h we need to use NonAssertingLabel instead of Label and I think addDebugInstrumentationOffset needs to ReportOutOfMemory.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Jan de Mooij [:jandem] from comment #4)

Harmless OOM bug. I'll hold off on this a bit so I can fix it on top of some in-flight patches. Basically in BaselineCodeGen.h we need to use NonAssertingLabel instead of Label and I think addDebugInstrumentationOffset needs to ReportOutOfMemory.

Jan, any updates since your comment a month ago?

Comment 6

[Jan de Mooij [:jandem]]

Attachment: Bug 1567327 - Fix some OOM issues when generating BaselineInterpreter code. r?iain!

• Use NonAssertingLabel in BaselineInterpreterHandler, similar to BaselineCodeGen fields.
• Make addDebugInstrumentationOffset report OOM.

No test case because the fuzz test is huge and this patch is based on the stack traces.

Comment 7

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f9a2b4ea4b1f
Fix some OOM issues when generating BaselineInterpreter code. r=iain

Comment 8

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/f9a2b4ea4b1f

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.