Assertion failure: cx_->hadNondeterministicException(), at js/src/jit/WarpOracle.cpp:189
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20211214-51773d1ab7b5 (debug build, run with --fuzzing-safe --no-threads --fast-warmup):
for (let v3 = 0; v3 < 100; v3++) {
function v4(v5,v6) {}
function v7(v8,v9) {
v14 = BigInt(-1.7976931348623157e+308);
try {
v15 = BigInt.asUintN(639625512,v14);
} catch(v17) {}
}
v18 = v4.prototype;
v18.b = v7;
v19 = new v4();
v20 = v19.b();
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555577dae38 in js::jit::WarpOracle::createSnapshot() ()
#1 0x0000555557aa0e26 in js::jit::CreateWarpSnapshot(JSContext*, js::jit::MIRGenerator*, JS::Handle<JSScript*>) ()
#2 0x0000555557a817fd in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#3 0x0000555557a823f9 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#4 0x0000555557a82bba in js::jit::IonCompileScriptForBaselineOSR(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*, js::jit::IonOsrTempData**) ()
[...]
#8 0x0000000000000000 in ?? ()
rax 0x55555572abf5 93824994159605
rbx 0x0 0
rcx 0x5555581c3f90 93825038827408
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb8e0 140737488337120
rsp 0x7fffffffb840 140737488336960
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff60194a0 140737320686752
r13 0x7fffffffb900 140737488337152
r14 0x7ffff5a26f78 140737314451320
r15 0xaacbb5db 2865477083
rip 0x5555577dae38 <js::jit::WarpOracle::createSnapshot()+1528>
=> 0x5555577dae38 <_ZN2js3jit10WarpOracle14createSnapshotEv+1528>: movl $0xbd,0x0
0x5555577dae43 <_ZN2js3jit10WarpOracle14createSnapshotEv+1539>: callq 0x555556b603b3 <abort>
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211214094205-4243f988e94a.
The bug appears to have been introduced in the following build range:
Start: 1add9a1bbfacd4ff1bee961fa8886b8cd0566d23 (20210227094458)
End: 80f5cb43d64e45bad9247216faa6553d836e53fe (20210227004609)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=1add9a1bbfacd4ff1bee961fa8886b8cd0566d23&tochange=80f5cb43d64e45bad9247216faa6553d836e53fe
Comment hidden (obsolete) |
Comment 5•2 years ago
|
||
That bisect range is showing up on hg.mozilla.org as am empty set. The fromchange
and tochange
parameters appear to be backwards?
Having said that, if you flip the parameters, the range is definitely weird: I'm not seeing any JS engine changes in that range at all. non-determinism leading to a bad bisect perhaps?
Updated•2 years ago
|
Comment 7•2 years ago
|
||
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #5)
That bisect range is showing up on hg.mozilla.org as am empty set. The
fromchange
andtochange
parameters appear to be backwards?Having said that, if you flip the parameters, the range is definitely weird: I'm not seeing any JS engine changes in that range at all. non-determinism leading to a bad bisect perhaps?
This looks like bugmon is failing to report the range properly when one revision is from mozilla-central and the other is from autoland. Setting the repo to mozilla-central reveals:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1add9a1bbfacd4ff1bee961fa8886b8cd0566d23&tochange=80f5cb43d64e45bad9247216faa6553d836e53fe
Could it possibly be bug 1694600?
Assignee | ||
Comment 8•2 years ago
|
||
It makes sense that the patch in bug 1694600 that improved the precision of bailout loop detection would make this start to fail. The underlying issue predates that bug, though: it's the same basic issue as this comment on bug 1720032.
We attach an IC for the call to BigInt.asUintN. That IC makes a VM call, which throws because the result would have too many digits. As a result, we don't hit the SetGName for v15 =
. When we warp-compile this code, we transpile the AsUintN call, and generate an unconditional bail for the SetGName, because it's never been reached. The optimizer sees that we won't use the result of the AsUintN call without bailing, and optimizes it away.
Therefore, instead of trying to allocate an oversized BigInt and throwing, the warp script hits the unconditional bailout for the SetGName. We resume at the beginning of the try block, enter the IC, and throw again. We still don't hit the SetGName, so when we recompile, the CacheIR is the same. We detect a bailout loop and assert.
We have a similar known issue with string concatenation, where Ion optimizes away allocations and doesn't throw, but it can't cause bailout loop issues like we see here because we won't attach an IC unless the string concatenation has already succeeded, so the subsequent code will execute at least once.
I think the reasonable fixes for this are to either skip attaching call ICs for inlinable natives if the call throws an exception, or to decide that (just like OOM and stack overflow) we're not interested in bailout loops that involve hitting implementation-defined limits, and treat allocation overflow as a nondeterministic exception that disables bailout loop checks.
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Set release status flags based on info from the regressing bug 1694600
Updated•2 years ago
|
Assignee | ||
Comment 11•2 years ago
|
||
The testcase triggers a bailout loop in the bigint case. It's not possible to write an equivalent testcase for string concatenation, because we don't attach a stub unless the concatenation succeeds.
I've also verified that this prints a message for the fuzzer in all the differential testcases I could find.
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/539e8e6bc09d Treat oversized string/bigint allocations as nondeterministic r=jandem
Comment 13•2 years ago
|
||
bugherder |
Comment 14•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220114045818-344f14b85f84.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•2 years ago
|
Description
•