Running out of memory when creating constants in a loop

[zhunki]

the following poc cause a crash in latest build on ubuntu.

for (let v3 = -65537; v3 < 3; v3 = v3 + 0) {
    const v4 = v3++;
}

#0 0x0000555555799691 in ReportFatalException ()
#1 0x0000555555799877 in Js::Throw::FatalInternalError(int) ()
#2 0x0000555555d543a7 in GlobOpt::CollectMemOpInfo(IR::Instr*, IR::Instr*, Value*, Value*) ()
#3 0x0000555555d4bf0e in GlobOpt::OptInstr(IR::Instr*&, bool*) ()
#4 0x0000555555d49e13 in GlobOpt::OptBlock(BasicBlock*) ()
#5 0x0000555555d48f49 in GlobOpt::ForwardPass() ()
#6 0x0000555555d4889b in GlobOpt::Optimize() ()
#7 0x0000555555d4155f in Func::TryCodegen() ()
#8 0x0000555555d4125c in Func::Codegen(Memory::JitArenaAllocator*, JITTimeWorkItem*, ThreadContextInfo*, ScriptContextInfo*, JITOutputIDL*, Js::EntryPointInfo*, FunctionJITRuntimeInfo const*, JITTimePolymorphicInlineCacheInfo*, void*, Js::ScriptContextProfiler*, bool) ()
#9 0x0000555555cc0e29 in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBaseMemory::VirtualAllocWrapper, Memory::PageSegmentBaseMemory::VirtualAllocWrapper >, CodeGenWorkItemIDL, JITOutputIDL&, bool, Js::EntryPointInfo*) ()
#10 0x0000555555cc10cd in NativeCodeGenerator::CodeGen(Memory::PageAllocatorBase<Memory::VirtualAllocWrapper, Memory::SegmentBaseMemory::VirtualAllocWrapper, Memory::PageSegmentBaseMemory::VirtualAllocWrapper >, CodeGenWorkItem, bool) ()
#11 0x0000555555cc1953 in NativeCodeGenerator::Process(JsUtil::Job*, JsUtil::ParallelThreadData*) ()
#12 0x0000555555cd4a0e in JsUtil::BackgroundJobProcessor::Process(JsUtil::Job*, JsUtil::ParallelThreadData*) ()
#13 0x0000555555cd4b15 in JsUtil::BackgroundJobProcessor::Run(JsUtil::ParallelThreadData*) ()
#14 0x0000555555cd3a47 in JsUtil::BackgroundJobProcessor::StaticThreadProc(void*) ()
#15 0x000055555571f9fd in CorUnix::CPalThread::ThreadEntry(void*) ()
#16 0x00007ffff7aa2609 in start_thread (arg=) at pthread_create.c:477
#17 0x00007ffff7857293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

[ppenzin]

Thank you for the report. Looks like the reproducer is creating a new const on every loop iteration, which eventually overwhelms garbage collection, leading to the error. 'Crash' seems to be somewhat ambiguous, this is clearly an error thrown by the memory allocator.

[ppenzin]

I've checked with V8 (but with release, ToT), it doesn't seem to run out of memory. So we might not be detecting that the constant can be reclaimed at the end of every iteration. @rhuanjl what do you think?

[rhuanjl]

It seems slightly more complicated, I don't think it is an out of memory error - it's a failfast in the Jit.

But changing the code to the below suppresses it - even though functionally that should be the same:

for (let v3 = -65537; v3 < 3;) {
    const v4 = v3++;
}

Also it's not specific to a const same out of memory occurs with a let.

Error repros in 1.11 and master; error does not occur with Spidermonkey, Jsc or v8.

I can take a little look but this seems to be quite an old bug involving an obscure code path.

[rhuanjl]

I think the crash is to do with code that seeks to optimise the loop getting confused by the v3 = v3 + 0 instruction in the increment section - however this code path is not hit unless the loop contains a const or a let.

[rhuanjl]

Working on a fix - it's just some conditional logic in the optimiser.

[rhuanjl]

PR opened with fix.