1698330 - Cranelift regalloc OOM (was: AddressSanitizer: SEGV on unknown address 0x000000000000)

Status: RESOLVED DUPLICATE of bug 1609308

(Core :: JavaScript: WebAssembly, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: testcase.wasm

This is testcase.wrapper, testcase.wasm is attached.

new WebAssembly.Module(read(scriptArgs[0], "binary"))

AddressSanitizer:DEADLYSIGNAL
=================================================================
==85639==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000102a95664 bp 0x000102a95250 sp 0x00016f509b10 T0)
==85639==The signal is caused by a UNKNOWN memory access.
==85639==Hint: address points to the zero page.
    #0 0x102a95664 in RustMozCrash+0x18 (js-64-asan-darwin-arm64-3813a83e0edd:arm64+0x1021ad664)

==85639==Register values:
 x[0] = 0x000000016f509d2a   x[1] = 0x000000000000005e   x[2] = 0x000000016f509b22   x[3] = 0x0000000000000040
 x[4] = 0x0000000000000000   x[5] = 0x0000000000000001   x[6] = 0x00000000000000be   x[7] = 0x0000000000000001
 x[8] = 0x0000000000000000   x[9] = 0x0000000104225000  x[10] = 0x0000000000000000  x[11] = 0x000000702dec13e5
x[12] = 0x0000000000000005  x[13] = 0x0000000000000004  x[14] = 0x0000000000000000  x[15] = 0x0000000000000000
x[16] = 0x0000000000000000  x[17] = 0x0000000000000000  x[18] = 0x0000000000000000  x[19] = 0x000000016f509d2a
x[20] = 0x000000000000005e  x[21] = 0x000000000000003b  x[22] = 0x0000000103c9f3df  x[23] = 0x000000000000005e
x[24] = 0x0000000000000001  x[25] = 0x0000000104019a38  x[26] = 0x000000016f50c7f0  x[27] = 0x000000016f50d498
x[28] = 0x0000007000020000  fp = 0x000000016f509b10  lr = 0x0000000102a95250  sp = 0x000000016f509b10
AddressSanitizer can not provide additional info.

Run with --fuzzing-safe --no-threads --ion-eager testcase.wrapper testcase.wasm, compile with AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 AR=ar sh ./configure --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev 3813a83e0edd.

Not sure if this is s-s, I'd leave it to Lars (assuming this is WebAssembly-related). Seems to occur as far back as m-c rev 7a93da60be46, but it also seems intermittent prior to this.

Comment 1

[Lars T Hansen [:lth]]

On x64 macOS this exits with an OOM error, so at most this is platform=arm64.

Comment 2

[Lars T Hansen [:lth]]

Cranelift panic, not an NPE even:

  * frame #0: 0x00000001021abd30 js`RustMozCrash + 24
    frame #1: 0x00000001021abb9c js`mozglue_static::panic_hook::h965a8d46d428b6e2(info=<unavailable>) at lib.rs:89:9 [opt]
    frame #2: 0x00000001021ab90c js`core::ops::function::Fn::call::h66157ca44c02f4eb((null)=<unavailable>, (null)=<unavailable>) at function.rs:70:5 [opt]
    frame #3: 0x000000010247c7c4 js`std::panicking::rust_panic_with_hook::h140cbf507d3407f4 at panicking.rs:597:17 [opt]
    frame #4: 0x000000010247c374 js`std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hb6a3220cf34e266a at panicking.rs:499:13 [opt]
    frame #5: 0x0000000102478798 js`std::sys_common::backtrace::__rust_end_short_backtrace::hd5353dc16fba6ea5 at backtrace.rs:141:18 [opt]
    frame #6: 0x000000010247c2dc js`rust_begin_unwind at panicking.rs:495:5 [opt]
    frame #7: 0x000000010252ec64 js`core::panicking::panic_fmt::h0333f3235caab578 at panicking.rs:92:14 [opt]
    frame #8: 0x000000010252ebbc js`core::option::expect_none_failed::hf9db8067790dbdba at option.rs:1268:5 [opt]
    frame #9: 0x000000010230eadc js`cranelift_codegen::machinst::compile::compile::h3003cfa4676a11fc at result.rs:933:23 [opt]
    frame #10: 0x000000010230eaac js`cranelift_codegen::machinst::compile::compile::h3003cfa4676a11fc(f=<unavailable>, b=<unavailable>, abi=<unavailable>, emit_info=<unavailable>) at compile.rs:77 [opt]
    frame #11: 0x00000001023d4fe4 js`_$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..machinst..MachBackend$GT$::compile_function::h40489b5a5980ee4a at mod.rs:52:9 [opt]
    frame #12: 0x00000001023d4f60 js`_$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..machinst..MachBackend$GT$::compile_function::h40489b5a5980ee4a(self=<unavailable>, func=<unavailable>, want_disasm=<unavailable>) at mod.rs:63 [opt]
    frame #13: 0x00000001023d643c js`cranelift_codegen::context::Context::compile::h10b69b3baf11d826(self=<unavailable>, isa=<unavailable>) at context.rs:197:26 [opt]
    frame #14: 0x00000001021d62a8 js`baldrdash::compile::BatchCompiler::compile::hfdac6634ed079b9c(self=0x0000000108f0c100, stackmaps=Stackmaps @ x21) at compile.rs:149:20 [opt]
    frame #15: 0x00000001021d8c68 js`cranelift_compile_function(compiler=0x0000000108f0c100, data=0x000000016fdfb0b0, result=0x000000016fdfb0f0, error=0x000000016fdfb170) at lib.rs:236:21 [opt]
    frame #16: 0x0000000101b611d4 js`js::wasm::CraneliftCompileFunctions(moduleEnv=<unavailable>, compilerEnv=<unavailable>, lifo=<unavailable>, inputs=<unavailable>, code=<unavailable>, error=<unavailable>) at WasmCraneliftCompile.cpp:562:10 [opt]
    frame #17: 0x0000000101b80398 js`ExecuteCompileTask(task=0x000000010aa06080, error=<unavailable>) at WasmGenerator.cpp:775:16 [opt]
    frame #18: 0x0000000101b80544 js`js::wasm::ModuleGenerator::locallyCompileCurrentTask(this=0x000000016fdfbe10) at WasmGenerator.cpp:831:8 [opt]
    frame #19: 0x0000000101b8171c js`js::wasm::ModuleGenerator::finishFuncDefs(this=<unavailable>) at WasmGenerator.cpp:969:24 [opt]
    frame #20: 0x0000000101ac9770 js`bool DecodeCodeSection<js::wasm::Decoder>(env=0x000000016fdfbb20, d=<unavailable>, mg=<unavailable>) at WasmCompile.cpp:678:13 [opt]
    frame #21: 0x0000000101ac8cc0 js`js::wasm::CompileBuffer(args=<unavailable>, bytecode=0x000000010920fc10, error=<unavailable>, warnings=<unavailable>, listener=<unavailable>) at WasmCompile.cpp:700:8 [opt]
    frame #22: 0x0000000101c03cac js`js::WasmModuleObject::construct(cx=<unavailable>, argc=<unavailable>, vp=0x000000016fdfd990) at WasmJS.cpp:1631:7 [opt]
    frame #23: 0x0000000100180b78 js`InternalConstruct(JSContext*, js::AnyConstructArgs const&) [inlined] CallJSNative(cx=0x000000010a504880, native=(js`js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) at WasmJS.cpp:1597), reason=Call, args=0x000000016fdfd4f0)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) at Interpreter.cpp:435:13 [opt]
    frame #24: 0x000000010018097c js`InternalConstruct(JSContext*, js::AnyConstructArgs const&) [inlined] CallJSNativeConstructor(cx=<unavailable>, native=(js`js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) at WasmJS.cpp:1597), args=0x000000016fdfd4f0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) at Interpreter.cpp:451 [opt]
    frame #25: 0x000000010018097c js`InternalConstruct(cx=<unavailable>, args=0x000000016fdfd4f0) at Interpreter.cpp:624 [opt]
    frame #26: 0x000000010017fc00 js`js::ConstructFromStack(cx=<unavailable>, args=<unavailable>) at Interpreter.cpp:670:10 [opt] [artificial]
    frame #27: 0x000000010123c2ec js`js::jit::DoCallFallback(cx=0x000000010a504880, frame=<unavailable>, stub=0x000000010a026e40, argc=<unavailable>, vp=<unavailable>, res=<unavailable>) at BaselineIC.cpp:1821:10 [opt]
    frame #28: 0x00001070000349a0

To me this looks like a Cranelift OOM (my process manager shows the JS process grows past 4GB before it crashes), which we know to be poorly handled, or some other regalloc error. Either way it's a controlled error.

Comment 3

[Lars T Hansen [:lth]]

Christian, can you open this one up?