Closed Bug 1870756 Opened 3 months ago Closed 2 months ago

Assertion failure: cx_->hadResourceExhaustion(), at jit/WarpOracle.cpp:206

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

All
Linux
defect

Tracking

()

RESOLVED FIXED
123 Branch
Tracking Status
firefox-esr115 --- wontfix
firefox121 --- wontfix
firefox122 --- wontfix
firefox123 --- fixed

People

(Reporter: gkw, Assigned: iain)

References

(Regression)

Details

(Keywords: regression, testcase)

Attachments

(2 files)

Attached file testcase

See attached testcase.

205	    MOZ_ASSERT_IF(hash == oldHash && !js::SupportDifferentialTesting(),
(gdb) bt
#0  js::jit::WarpOracle::createSnapshot (this=0xffffbdec) at /home/gen16gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:205
#1  0x58f8acf4 in js::jit::CreateWarpSnapshot (cx=0xf7614100, mirGen=0xf63d8100, script=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1597
#2  0x58f8759e in js::jit::IonCompile (cx=0xf7614100, script=..., osrPc=<optimized out>) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1667
#3  js::jit::Compile (cx=0xf7614100, script=..., osrFrame=<optimized out>, osrPc=0x0) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1860
#4  0x58f8841d in BaselineCanEnterAtEntry (cx=0xf7614100, frame=0xf67ffe98, script=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:1992
#5  IonCompileScriptForBaseline (cx=0xf7614100, frame=0xf67ffe98, pc=0xf7602241 "\266\001") at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:2117
#6  0x58f87e80 in js::jit::IonCompileScriptForBaselineAtEntry (cx=0xf7614100, frame=0xf67ffe98) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Ion.cpp:2144
#7  0x58d41909 in js::jit::Simulator::softwareInterrupt (this=0xf761c800, instr=0xf632e7e4) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:2392
#8  0x58d3e867 in js::jit::Simulator::decodeType7 (this=0xf761c800, instr=0xf632e7e4) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:3401
#9  js::jit::Simulator::instructionDecode (this=0xf761c800, instr=0xf632e7e4) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4431
#10 0x58d471bb in js::jit::Simulator::execute<false> (this=0xf761c800) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4487
#11 js::jit::Simulator::callInternal (this=0xf761c800, entry=0x2787b508 "\360O-\351\004\320M\342\020\212-\355h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>)
    at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4565
#12 0x58d47780 in js::jit::Simulator::call (this=0xf761c800, entry=0x2787b508 "\360O-\351\004\320M\342\020\212-\355h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>, 
    argument_count=8) at /home/gen16gx500/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:4653
#13 0x59085011 in EnterJit (code=<optimized out>, cx=<optimized out>, state=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Jit.cpp:115
#14 js::jit::MaybeEnterJit (cx=0xf7614100, state=...) at /home/gen16gx500/trees/mozilla-central/js/src/jit/Jit.cpp:261
#15 0x580395cc in js::RunScript (cx=0xf7614100, state=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:441
#16 0x5803c87c in js::ExecuteKernel (cx=0xf7614100, script=..., envChainArg=..., evalInFrame=..., result=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:838
#17 0x5803ccea in js::Execute (cx=0xf7614100, script=..., envChain=..., rval=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:870
#18 0x581c2c38 in ExecuteScript (cx=0xf7614100, envChain=..., script=..., rval=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:494
#19 0x581c2e18 in JS_ExecuteScript (cx=0xf7614100, scriptArg=...) at /home/gen16gx500/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:518
#20 0x57f79647 in RunFile (cx=<optimized out>, filename=<optimized out>, file=0xf77208d0, compileMethod=CompileUtf8::DontInflate, compileOnly=<optimized out>, fullParse=<optimized out>)
    at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:1219
#21 0x57f78737 in Process (cx=<optimized out>, filename=<optimized out>, forceTTY=<optimized out>, kind=FileScript) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:1799
#22 0x57f386c8 in ProcessArgs (cx=0xf7614100, op=0xffffca18) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:10874
#23 Shell (cx=<optimized out>, op=<optimized out>, op@entry=0xffffca18) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:11136
#24 0x57f325e6 in main (argc=6, argv=0xffffcb84) at /home/gen16gx500/trees/mozilla-central/js/src/shell/js.cpp:11540
(gdb)

Run with --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp, compile with 'CXX="clang++ -msse2 -mfpmath=sse"' 'CC="clang -msse2 -mfpmath=sse"' AR=ar PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig sh ../configure --host=x86_64-pc-linux-gnu --target=i686-pc-linux --enable-simulator=arm --enable-debug --with-ccache --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 382081ff53ef.

Iain, setting needinfo? to you since you seem to have fixed similar issues recently.

Flags: needinfo?(iireland)
$ ~/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef --fuzzing-safe --no-threads --ion-eager --arm-hwcap=vfp testcase.js 
Assertion failure: cx_->hadResourceExhaustion(), at /home/gen16gx500/trees/mozilla-central/js/src/jit/WarpOracle.cpp:206
#01: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2aafb21]
#02: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a35cf4]
#03: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a3259e]
#04: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a3341d]
#05: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2a32e80]
#06: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27ec909]
#07: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27e9867]
#08: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27f21bb]
#09: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x27f2780]
#10: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x2b30011]
#11: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1ae45cc]
#12: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1ae787c]
#13: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1ae7cea]
#14: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1c6dc38]
#15: JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>)[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1c6de18]
#16: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1a24647]
#17: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x1a23737]
#18: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x19e36c8]
#19: ???[/home/gen16gx500/shell-cache/js-dbg-32-armsim32-linux-x86_64-382081ff53ef/js-dbg-32-armsim32-linux-x86_64-382081ff53ef +0x19dd5e6]
Segmentation fault

Nice catch! This is a real performance-tanking bailout loop, although it can only happen on hardware we don't care about, and maybe only in the simulator.

It looks like we're hitting this bailout in SoftModI repeatedly, which seemingly only occurs when we're compiling for an arm32 device without hardware support for integer mod (!?!?). (That's why --arm-hwcap=vfp is necessary.)

I can reproduce the same bug with a simpler testcase:

// |jit-test| --fast-warmup; --arm-hwcap=vfp
function foo(n) { return n % 2; }

with ({}) {}
for (var i = 0; i < 1000; i++) {
  foo(0);
}

It looks like the problem here is that we're saving the original lhs value in a temp register here, calling __aeabi_idivmod to do the actual computation, and then using the saved value to check whether the result should be -0. But when we do the call in the simulator, scratchVolatileRegisters clobbers our temp register. I suspect that this bug was introduced in this patch for bug 1659093, which hardcoded a fixed register that happened to be volatile.

Using a non-volatile temp fixes the bug.

The comment here from the original 12-year-old bug that initially added the -0 check to SoftModI is ironic:

Does LDefinition::GENERAL make it callee-saved? I think you need to ASSERT
in ::visitModI that the register is callee-saved, since things will break
subtlely (and horribly) if a caller gets this wrong.

I'll add the assertion, but there shouldn't be any way that we can assign a caller saved register to that register.

It appears that we removed said assertion as part of bug 888237.

Flags: needinfo?(iireland)
Regressed by: 1659093
Assignee: nobody → iireland
Status: NEW → ASSIGNED

The severity field is not set for this bug.
:willyelm, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(wmedina)
Severity: -- → S3
Flags: needinfo?(wmedina)
Priority: -- → P2
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ea0271ef6010
Use nonvolatile temp register in LSoftModI r=jandem
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
You need to log in before you can comment on or make changes to this bug.