1652356 - Crash [@ js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion]

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

// Mixed in from js/src/jit-test/tests/regexp/huge-02.js
evalInWorker('RegExp(Array(1<<15).join("(") + Array(1<<15).join(")")).exec()');

Compiled using GCC 9.3.0 and Clang 9 with:

PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' AR=ar sh ./configure --target=i686-pc-linux --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

Run with:

--fuzzing-safe --ion-offthread-compile=off --ion-eager --no-baseline

Tested on m-c rev bd511bc456e4.

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ee1018a8611a
user:        Iain Ireland
date:        Sun May 10 16:00:26 2020 +0000
summary:     Bug 1634135: Turn new regexp engine on by default in Nightly r=mgaudet

Highly unlikely this is bad, but I'll defer to Iain.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Stack as a comment:

0x57eeb4b5 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xf4fc0030) at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bd511bc456e4/objdir-js/dist/include/js/Utility.h:342
342	in /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bd511bc456e4/objdir-js/dist/include/js/Utility.h
(gdb) bt
#0  0x57eeb4b5 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xf4fc0030) at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bd511bc456e4/objdir-js/dist/include/js/Utility.h:342
#1  0x588ec07b in v8::internal::Zone::New (this=0xf50fc5f8, size=60) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/util/ZoneShim.h:28
#2  0x588ef1b8 in v8::internal::ZoneObject::operator new (size=60, zone=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/util/ZoneShim.h:54
#3  v8::internal::ActionNode::StorePosition (reg=53977, is_capture=<optimized out>, on_success=0xf430f380) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler.cc:636
#4  0x58914916 in v8::internal::RegExpCapture::ToNode (body=0xf4bc7a70, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:934
#5  v8::internal::RegExpCapture::ToNode (this=0xf4bc7a48, compiler=0xf50fc688, on_success=0xf430f380) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#6  0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc7a48, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#7  v8::internal::RegExpCapture::ToNode (this=0xf4bc7a20, compiler=0xf50fc688, on_success=0xf430f330) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#8  0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc7a20, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#9  v8::internal::RegExpCapture::ToNode (this=0xf4bc79f8, compiler=0xf50fc688, on_success=0xf430f2e0) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#10 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc79f8, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#11 v8::internal::RegExpCapture::ToNode (this=0xf4bc79d0, compiler=0xf50fc688, on_success=0xf430f290) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#12 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc79d0, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#13 v8::internal::RegExpCapture::ToNode (this=0xf4bc79a8, compiler=0xf50fc688, on_success=0xf430f240) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#14 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc79a8, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
/snip

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1634135

Comment 3

[Iain Ireland [:iain]]

Thanks for the report, Gary, but your suspicion is correct. This is the intended behaviour.

Irregexp does not handle OOM internally. Instead of rewriting the entire engine to add OOM failure paths, we just mark all allocations as OOM-unsafe. Note that this is not a web-compat issue, because we're running the same code as Chrome and should only crash in cases where V8 would also crash.

(This is a small part of my ongoing quest to remove small-OOM recovery from SM.)

Comment 4

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

bounty- due to intended behavior