Closed Bug 1091515 Opened 11 years ago Closed 10 years ago

Firefox jemalloc assumes a 64K PAGE_SIZE for AArch64, can cause crashes when running with 4K pages

Categories

(Core :: Memory Allocator, defect)

Product:
Core
Component:
Memory Allocator
Version:
33 Branch
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox48 --- fixed

People

(Reporter: steve.capper, Assigned: m_kato)

References

Details

(Keywords: 64bit, crash)

Attachments

(1 file)

MozReview Request: Bug 1091515 - Don't set 64KB page size on aarch64. r?glandium
58 bytes, text/x-review-board-request
glandium
: review+
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141015093046 Steps to reproduce: 1. Install Ubuntu 14.10 (Ubuntu 14.04 also gives this problem), and the firefox package. 2. Boot Linux 3.18-rc2 kernel on Juno platform with 4KB PAGE_SIZE (the defconfig should give this). 3. Launch Firefox, and go to "www.gmail.com", then in a separate tab, play a video from youtube.com. Actual results: In the console window I got the following error message: <jemalloc>: (malloc) Error in munmap(): Then the browser slowed down and crashed. I did some digging into this and made the kernel send a SIGILL to anything that fails to munmap. I got a core dump from plugin-container (below). Essentially munmap is being called with a negative size (0xFFFFFFFFFFFF6000). Looking further up in jemalloc.c I see the following lines: https://github.com/mozilla/gecko-dev/blob/master/memory/mozjemalloc/jemalloc.c#L1089 /* * VM page size. It must divide the runtime CPU page size or the code * will abort. * Platform specific page size conditions copied from js/public/HeapAPI.h */ #if (defined(SOLARIS) || defined(__FreeBSD__)) && \ (defined(__sparc) || defined(__sparcv9) || defined(__ia64)) #define pagesize_2pow ((size_t) 13) #elif defined(__powerpc64__) || defined(__aarch64__) #define pagesize_2pow ((size_t) 16) #else If I change pagesize_2pow to be 12 for AArch64, then crash no longer happens when running with a 4KB PAGE_SIZE. Also, looking further down in the code we have: https://github.com/mozilla/gecko-dev/blob/master/memory/mozjemalloc/jemalloc.c#L5544 if (pagesize % (size_t) result) { _malloc_message(_getprogname(), "Compile-time page size does not divide the runtime one.\n", "", ""); abort(); } The arguments to modulo operator appear to be the wrong way round? The compile time PAGE_SIZE is in the "pagesize" variable whilst the current running PAGE_SIZE is in the "result" variable. Thus one would expect the test for compile time page size dividing system page size to be: if ((size_t) result % pagesize) { // compile time PAGE_SIZE does not divide system PAGE_SIZE } Or should the text of the message change, and is it assumed that the compile time page size is a multiple of the system page size? Cheers, -- Steve Stack trace of core dump below: (gdb) set pagination off (gdb) bt full #0 syscall () at ../ports/sysdeps/unix/sysv/linux/aarch64/syscall.S:39 No locals. #1 0x0000007f8343269c in pages_unmap (addr=<optimised out>, size=<optimised out>) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2465 No locals. #2 0x0000007f834345bc in pages_trim (size=1048576, leadsize=<optimised out>, alloc_size=2031616, addr=<optimised out>) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2731 trailsize = 18446744073709510656 ret = 0x7f7dc00000 #3 chunk_alloc_mmap_slow (alignment=1048576, size=1048576) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2751 pages = <optimised out> alloc_size = 2031616 leadsize = <optimised out> #4 chunk_alloc_mmap (pagefile=true, size=size@entry=1048576) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2783 ret = <optimised out> offset = <optimised out> #5 chunk_alloc (size=size@entry=1048576, pagefile=true, zero=true) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2870 ret = <optimised out> #6 0x0000007f834346cc in arena_run_alloc (arena=arena@entry=0x7f7ec14040, size=983040, large=large@entry=false, zero=zero@entry=false, bin=<optimised out>) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:3536 chunk = <optimised out> run = <optimised out> key = {link = {rbn_left = 0x7f80, rbn_right_red = 0x7f80}, bits = 983056} #7 0x0000007f83434f98 in arena_bin_nonfull_run_get (bin=0x7f7ec151d8, arena=0x7f7ec14040) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:3826 run = <optimised out> i = <optimised out> remainder = <optimised out> #8 arena_bin_malloc_hard (bin=0x7f7ec151d8, arena=0x7f7ec14040) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:3890 No locals. #9 arena_malloc_small (zero=false, size=32768, arena=0x7f7ec14040) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:4080 ret = <optimised out> bin = 0x7f7ec151d8 run = <optimised out> #10 arena_malloc (arena=0x7f7ec14040, size=<optimised out>, zero=false) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:4154 No locals. #11 0x0000007f834350b4 in malloc (size=size@entry=32640) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:6215 ret = <optimised out> #12 0x0000007f801c28c0 in __gconv_open (toset=<optimised out>, toset@entry=0x7fd8a901e0 "UTF-16LE//", fromset=<optimised out>, fromset@entry=0x7fd8a901c0 "UTF-8//", handle=handle@entry=0x7fd8a90248, flags=flags@entry=0) at gconv_open.c:282 size = 32640 n = <optimised out> lastp = <optimised out> runp = <optimised out> steps = 0x7f7e9d00e0 nsteps = 2 result = 0x7f7e990180 cnt = 0 res = 0 conv_flags = 0 errhand = <optimised out> ignore = <optimised out> trans = 0x0 #13 0x0000007f801c22ac in iconv_open (tocode=0x7fd8a901e0 "UTF-16LE//", fromcode=0x7fd8a901c0 "UTF-8//") at iconv_open.c:71 tocode_len = <optimised out> tocode_conv = 0x7fd8a901e0 "UTF-16LE//" tocode_usealloca = <optimised out> fromcode_len = <optimised out> fromcode_conv = 0x7fd8a901c0 "UTF-8//" fromcode_usealloca = <optimised out> cd = 0x7f7e9414e8 res = <optimised out> #14 0x0000007f80c0ef44 in xp_iconv_open (to_list=to_list@entry=0x7f83362418 <UTF_16_NAMES>, from_list=from_list@entry=0x7fd8a902d0) at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:175 res = <optimised out> from_name = 0x7fd8a902d0 to_name = 0x7f83362418 <UTF_16_NAMES> #15 0x0000007f80c0f0c4 in nsNativeCharsetConverter::LazyInit () at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:338 native_charset_list = 0x7fd8a902d0 native_charset = <optimised out> dummy_input = "" dummy_output = "\324\364\300\200" blank_list = {0x7f7dd1730c <error: Cannot access memory at address 0x7f7dd1730c>, 0x0} #16 0x0000007f80c0f234 in nsNativeCharsetConverter::nsNativeCharsetConverter (this=this@entry=0x7fd8a90320) at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:444 No locals. #17 0x0000007f80c0f4d4 in NS_CopyNativeToUnicode (aInput=..., aOutput=...) at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:831 resultLeft = 24 buf = 0x7f7e9414e8 "/usr/lib/firefox/omni.ja" conv = {static gNativeToUnicode = 0xffffffffffffffff, static gUnicodeToNative = 0xffffffffffffffff, static gLock = 0x0, static gInitialized = false, static gIsNativeUTF8 = true} rv = <optimised out> result = 0x7fd8a903c8 u"" bufLeft = 24 #18 0x0000007f80c57064 in net_GetURLSpecFromActualFile (aFile=<optimised out>, result=...) at /build/buildd/firefox-33.0+build2/netwerk/base/src/nsURLHelperUnix.cpp:24 rv = tag_nsresult::NS_OK nativePath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7e9414e8 "/usr/lib/firefox/omni.ja", mLength = 24, mFlags = 65541}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a90468 ""}, mStorage = "\000\000\000\000\000\000\000\000\030A\301~\177\000\000\000\030\000\000\000\000\000\000\000\250O\301~\177\000\000\000\270O\301~\177", '\000' <repeats 12 times>, "\004\000\000\000\000\000\000@@\301~\177\000\000"} prefix = {<nsCString> = {<nsACString_internal> = {mData = 0x7f803276c8 "\373B", mLength = 2202120192, mFlags = 127}, <No data fields>}, <No data fields>} ePath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7fd8a904c8 "", mLength = 0, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a904c8 ""}, mStorage = "\000NC\203\177\000\000\000\360\032\251\330\177\000\000\000\004OC\203\177\000\000\000\000\b\230~\177\000\000\000\000\b\230~\177\000\000\000\000\004\000\000\000\000\000\000\030\000\000\000\000\000\000\000\bh\261~\177\000\000"} path = {<nsFixedString> = {<nsString> = {<nsAString_internal> = {mData = 0x7fd8a903c8 u"", mLength = 24, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a903c8 u""}, mStorage = u"\000\000\000\000$\a\000\000䁀绁\177\000⇨荃\177\000鍔翦\177\000Ѱ\xd8a9\177\000\000纐\177\000䄠绁\177\000鍼翦\177\000\000纘\177\000䁀绁\177\000à纐\177\000\000\001\000\000\000\000\000\000\000\000\000\000䄠绁\177"} escPath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7e9807e0 " \a\230~\177", mLength = 60, mFlags = 0}, <No data fields>}, mFixedCapacity = 2125553664, mFixedBuf = 0x7f834350b4 <malloc+52> ""}, mStorage = "\000\004\000\000\000\000\000\000\000\004\000\000\000\000\000\000\260\364\341\177\177\000\000\000\254\267\377}\177\000\000\000\026\270\377}\177\000\000\000\064\367\217~\177\000\000\000$\367\353\200\177\000\000\000\060\r\221~\177\000\000"} #19 0x0000007f80bcdd30 in mozilla::FileLocation::GetURIString (this=0x7f7e910d40, result=...) at /build/buildd/firefox-33.0+build2/xpcom/build/FileLocation.cpp:99 No locals. #20 0x0000007f80ec0628 in nsZipArchive::OpenArchive (this=this@entry=0x7f7eb16000, aZipHandle=0x7f7e910d30, aFd=aFd@entry=0x0) at /build/buildd/firefox-33.0+build2/modules/libjar/nsZipArchive.cpp:292 rv = tag_nsresult::NS_OK #21 0x0000007f80ec0694 in nsZipArchive::OpenArchive (this=0x7f7eb16000, aFile=<optimised out>, aMustCacheFd=aMustCacheFd@entry=false) at /build/buildd/firefox-33.0+build2/modules/libjar/nsZipArchive.cpp:313 handle = {mRawPtr = 0x7f7e910d30} rv = tag_nsresult::NS_OK #22 0x0000007f80bce68c in mozilla::Omnijar::InitOne (aPath=<optimised out>, aType=aType@entry=mozilla::Omnijar::GRE) at /build/buildd/firefox-33.0+build2/xpcom/build/Omnijar.cpp:77 file = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e951590}, <No data fields>} isFile = true handle = {mRawPtr = 0x7fd8a90708} equals = false zipReader = {mRawPtr = 0x7f7eb16000} #23 0x0000007f80bce7c4 in mozilla::Omnijar::Init (aGrePath=<optimised out>, aAppPath=0x7f7e951640) at /build/buildd/firefox-33.0+build2/xpcom/build/Omnijar.cpp:99 No locals. #24 0x0000007f81c78170 in XRE_InitCommandLine (aArgc=<optimised out>, aArgv=0x7fd8a91c38) at /build/buildd/firefox-33.0+build2/toolkit/xre/nsAppRunner.cpp:4407 rv = tag_nsresult::NS_OK binFile = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e9514e0}, <No data fields>} greOmni = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e951590}, <No data fields>} canonBinPath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7e9414b8 "/usr/lib/firefox/plugin-container", mLength = 33, mFlags = 65541}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a90748 ""}, mStorage = "\000\000\000\000\000\000\000\000\000\270\345\177\177\000\000\000\000\004\000\000\000\000\000\000\320\n\251\330\177\000\000\000\a\000\000\000\000\000\000\000\070\034\251\330\177\000\000\000\b\000\000\000\000\000\000\000\000\000\066\203\177\000\000"} path = 0x7fd8a9262c "/usr/lib/firefox/browser/omni.ja" ar = <optimised out> appOmni = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e951640}, <No data fields>} #25 0x0000007f81c7b888 in XRE_InitChildProcess (aArgc=7, aArgv=0x7fd8a91c38, aProcess=GeckoProcessType_Content) at /build/buildd/firefox-33.0+build2/toolkit/xre/nsEmbedFunctions.cpp:451 end = 0x7fd8a92672 "" parentHandle = 2244 exitManager = {lock_ = {lock_ = {os_lock_ = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 47 times>, __align = 0}}}, stack_ = std::stack wrapping: std::deque with 1 elements = {{func_ = 0x7f80d90220 <base::LazyInstance<base::ThreadLocalPointer<NotificationService>, base::DefaultLazyInstanceTraits<base::ThreadLocalPointer<NotificationService> > >::OnExit(void*)>, param_ = 0x7f833c10f8 <_ZL12lazy_tls_ptr>}}, next_manager_ = 0x0} rv = <optimised out> notificationService = {observers_ = {std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements}} parentPIDString = <optimised out> parentPID = <optimised out> #26 0x0000007f83425f34 in main (argc=8, argv=0x7fd8a91c38) at /build/buildd/firefox-33.0+build2/ipc/app/MozillaRuntimeMain.cpp:147 proctype = <optimised out> rv = <optimised out> (gdb) Expected results: I did not expect the crash.
Severity: normal → major
Keywords: 64bit
Hardware: x86_64 → Other
Component: Untriaged → jemalloc
Product: Firefox → Core
Severity: major → critical
Keywords: crash
Depends on: 963028
Status: UNCONFIRMED → NEW
Ever confirmed: true
Linux/aarch64 supports vairous page size configuration. (From https://www.kernel.org/doc/Documentation/arm64/memory.txt) - 4KB + 3 levels - 4KB + 4 levels - 64KB + 2 leves So we shouldn't set fixed 64KB page size on aarch64. Review commit: https://reviewboard.mozilla.org/r/44287/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/44287/
Attachment #8738083 - Flags: review?(mh+mozilla)
Assignee: nobody → m_kato
Attachment #8738083 - Flags: review?(mh+mozilla) → review+
Comment on attachment 8738083 [details] MozReview Request: Bug 1091515 - Don't set 64KB page size on aarch64. r?glandium https://reviewboard.mozilla.org/r/44287/#review41159
https://hg.mozilla.org/mozilla-central/rev/c111173a1b98
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: