Closed Bug 1764737 Opened 3 years ago Closed 3 years ago

Crash [@ js::ModuleBuilder::processExportFrom(js::frontend::BinaryNode*)] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox99 --- wontfix
firefox100 --- wontfix
firefox101 --- verified

People

(Reporter: decoder, Assigned: jon4t4n)

References

(Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(3 files)

Detailed Crash Information
2.59 KB, text/plain
Details
Testcase
122 bytes, text/plain
Details
Bug 1764737 - Add missing OOM checks in GeneralParser<ParseHandler, Unit>::exportFrom. r=mgaudet
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20220414-6c55ba30c858 (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

function r(src) {
  oomTest(function() {
      parseModule(src);
  });
}
r("export * from 'y';");
r("export * from 'y';");

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556d86182 in js::ModuleBuilder::processExportFrom(js::frontend::BinaryNode*) ()
#0  0x0000555556d86182 in js::ModuleBuilder::processExportFrom(js::frontend::BinaryNode*) ()
#1  0x00005555573f92d3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::exportFrom(unsigned int, js::frontend::ParseNode*) ()
#2  0x00005555573f96b7 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::exportBatch(unsigned int) ()
#3  0x00005555573f1590 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::exportDeclaration() ()
#4  0x00005555573ebbef in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem(js::frontend::YieldHandling, bool) ()
#5  0x00005555573e9885 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) ()
#6  0x00005555574212de in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::moduleBody(js::frontend::ModuleSharedContext*) ()
#7  0x000055555746e2c6 in ModuleCompiler<char16_t>::compile(JSContext*) ()
#8  0x000055555746dd93 in bool ParseModuleToStencilAndMaybeInstantiate<char16_t>(JSContext*, js::frontend::CompilationInput&, JS::SourceText<char16_t>&, mozilla::Variant<mozilla::UniquePtr<js::frontend::ExtensibleCompilationStencil, JS::DeletePolicy<js::frontend::ExtensibleCompilationStencil> >, RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) ()
#9  0x0000555557437aa9 in js::frontend::CompileModule(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&) ()
#10 0x0000555556b690fe in ParseModule(JSContext*, unsigned int, JS::Value*) ()
#11 0x00003743e66c80df in ?? ()
#12 0x0000000000000008 in ?? ()
#13 0x00007fffffffb630 in ?? ()
#14 0x0000000000000000 in ?? ()
rax	0x7ffff4f03128	140737302769960
rbx	0x7fffffffa138	140737488331064
rcx	0x0	0
rdx	0x7ffff4f030f8	140737302769912
rsi	0x7ffff4f03160	140737302770016
rdi	0x5555558e8830	93824995985456
rbp	0x7fffffff9930	140737488329008
rsp	0x7fffffff9860	140737488328800
r8	0x11	17
r9	0x7fffffffae28	140737488334376
r10	0x2	2
r11	0x7ffff6ed3f90	140737336131472
r12	0x7ffff4f03128	140737302769960
r13	0x7ffff4f03160	140737302770016
r14	0x7ffff4f03090	140737302769808
r15	0x7ffff4f03090	140737302769808
rip	0x555556d86182 <js::ModuleBuilder::processExportFrom(js::frontend::BinaryNode*)+258>
=> 0x555556d86182 <_ZN2js13ModuleBuilder17processExportFromEPNS_8frontend10BinaryNodeE+258>:	movzwl (%rcx),%eax
   0x555556d86185 <_ZN2js13ModuleBuilder17processExportFromEPNS_8frontend10BinaryNodeE+261>:	cmp    $0x3e8,%rax

This is a fairly frequent OOM that we have not been able to isolate as a standalone testcase until now.

Attached file Testcase

I'd be curious to know why you need two calls to oomTest here. I've seen this pattern quite a few times and wonder if we should change our testing approach.

Set release status flags based on info from the regressing bug 1736060

status-firefox100: --- → affected
status-firefox99: --- → affected
status-firefox-esr91: --- → unaffected

:jon4t4n, since you are the author of the regressor, bug 1736060, could you take a look?
For more information, please visit auto_nag documentation.

Flags: needinfo?(jonatan.r.klemets)

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220414092955-6c55ba30c858.
The bug appears to have been introduced in the following build range:

Start: e565a940acd104cc68f0695a00ed6d6e476bf6fb (20211201183242)
End: 3bd18dfc114ff7dd5cdd288b345331aa3568a2e3 (20211201183342)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e565a940acd104cc68f0695a00ed6d6e476bf6fb&tochange=3bd18dfc114ff7dd5cdd288b345331aa3568a2e3

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Assignee: nobody → jonatan.r.klemets
Status: NEW → ASSIGNED

The above patch should fix the crash.

Regarding the question of why we need to call oomTest twice here, I am not able to add any insight.

Flags: needinfo?(jonatan.r.klemets)

I can't speak to this particular case, but oomTest is inevitably going to be somewhat flaky on parts of the engine, because its implementation trades off coverage for speed.

oomTest works by repeatedly calling a function and failing the Nth allocation, for increasing N, until N gets large enough that we don't fail an allocation. However, we don't reset the state of the world between each call. For example, the warmup count will increase on each execution. When we hit a warmup threshold and compile, it's likely that we'll OOM somewhere in the compiler, but there are no guarantees where. When the compilation fails, we will usually reset the warmup count and start again. On the next iteration, it's likely that allocation N+1 is not in the compiler, because we need to warm up more before we enter it again. This means that code that depends on previous state (compilers, ICs, etc...) gets patchy OOM coverage.

The alternative would be to reset the engine to its starting point on each iteration. The downside of that is that it would be even slower than the current version of oomTest, which is already unwieldy. Given that we're talking about removing OOM handling entirely, I'm not sure this is the most valuable place to invest our time (although we've been talking of removing OOM handling for years without any movement, so there are no guarantees.)

Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b4f304b80390 Add missing OOM checks in GeneralParser<ParseHandler, Unit>::exportFrom. r=mgaudet

https://hg.mozilla.org/mozilla-central/rev/b4f304b80390

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox101: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220414214512-d8f67ac43580.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox101: fixedverified
Keywords: bugmon
Has Regression Range: --- → yes

The patch landed in nightly and beta is affected.
:jon4t4n, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jonatan.r.klemets)

This is a fairly old regression, and we're late in beta, so I think we can let this ride the trains.

status-firefox100: affectedwontfix
Flags: needinfo?(jonatan.r.klemets)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: