1091515 - Firefox jemalloc assumes a 64K PAGE_SIZE for AArch64, can cause crashes when running with 4K pages

Reporter

Description

•

10 years ago

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Build ID: 20141015093046

Steps to reproduce:

1. Install Ubuntu 14.10 (Ubuntu 14.04 also gives this problem), and the firefox package.
2. Boot Linux 3.18-rc2 kernel on Juno platform with 4KB PAGE_SIZE (the defconfig should give this).
3. Launch Firefox, and go to "www.gmail.com", then in a separate tab, play a video from youtube.com.


Actual results:

In the console window I got the following error message:
<jemalloc>: (malloc) Error in munmap(): 

Then the browser slowed down and crashed.

I did some digging into this and made the kernel send a SIGILL to anything that fails to munmap. I got a core dump from plugin-container (below).

Essentially munmap is being called with a negative size (0xFFFFFFFFFFFF6000).

Looking further up in jemalloc.c I see the following lines:
https://github.com/mozilla/gecko-dev/blob/master/memory/mozjemalloc/jemalloc.c#L1089

/*
* VM page size. It must divide the runtime CPU page size or the code
* will abort.
* Platform specific page size conditions copied from js/public/HeapAPI.h
*/
#if (defined(SOLARIS) || defined(__FreeBSD__)) && \
(defined(__sparc) || defined(__sparcv9) || defined(__ia64))
#define pagesize_2pow ((size_t) 13)
#elif defined(__powerpc64__) || defined(__aarch64__)
#define pagesize_2pow ((size_t) 16)
#else

If I change pagesize_2pow to be 12 for AArch64, then crash no longer happens when running with a 4KB PAGE_SIZE.

Also, looking further down in the code we have:
https://github.com/mozilla/gecko-dev/blob/master/memory/mozjemalloc/jemalloc.c#L5544

	if (pagesize % (size_t) result) {
_malloc_message(_getprogname(),
"Compile-time page size does not divide the runtime one.\n",
"", "");
abort();
}

The arguments to modulo operator appear to be the wrong way round? The compile time PAGE_SIZE is in the "pagesize" variable whilst the current running PAGE_SIZE is in the "result" variable. Thus one would expect the test for compile time page size dividing system page size to be:

	if ((size_t) result % pagesize) {
            // compile time PAGE_SIZE does not divide system PAGE_SIZE
        }

Or should the text of the message change, and is it assumed that the compile time page size is a multiple of the system page size?

Cheers,
-- 
Steve

Stack trace of core dump below:

(gdb) set pagination off
(gdb) bt full
#0  syscall () at ../ports/sysdeps/unix/sysv/linux/aarch64/syscall.S:39
No locals.
#1  0x0000007f8343269c in pages_unmap (addr=<optimised out>, size=<optimised out>) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2465
No locals.
#2  0x0000007f834345bc in pages_trim (size=1048576, leadsize=<optimised out>, alloc_size=2031616, addr=<optimised out>) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2731
        trailsize = 18446744073709510656
        ret = 0x7f7dc00000
#3  chunk_alloc_mmap_slow (alignment=1048576, size=1048576) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2751
        pages = <optimised out>
        alloc_size = 2031616
        leadsize = <optimised out>
#4  chunk_alloc_mmap (pagefile=true, size=size@entry=1048576) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2783
        ret = <optimised out>
        offset = <optimised out>
#5  chunk_alloc (size=size@entry=1048576, pagefile=true, zero=true) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:2870
        ret = <optimised out>
#6  0x0000007f834346cc in arena_run_alloc (arena=arena@entry=0x7f7ec14040, size=983040, large=large@entry=false, zero=zero@entry=false, bin=<optimised out>) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:3536
        chunk = <optimised out>
        run = <optimised out>
        key = {link = {rbn_left = 0x7f80, rbn_right_red = 0x7f80}, bits = 983056}
#7  0x0000007f83434f98 in arena_bin_nonfull_run_get (bin=0x7f7ec151d8, arena=0x7f7ec14040) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:3826
        run = <optimised out>
        i = <optimised out>
        remainder = <optimised out>
#8  arena_bin_malloc_hard (bin=0x7f7ec151d8, arena=0x7f7ec14040) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:3890
No locals.
#9  arena_malloc_small (zero=false, size=32768, arena=0x7f7ec14040) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:4080
        ret = <optimised out>
        bin = 0x7f7ec151d8
        run = <optimised out>
#10 arena_malloc (arena=0x7f7ec14040, size=<optimised out>, zero=false) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:4154
No locals.
#11 0x0000007f834350b4 in malloc (size=size@entry=32640) at /build/buildd/firefox-33.0+build2/memory/mozjemalloc/jemalloc.c:6215
        ret = <optimised out>
#12 0x0000007f801c28c0 in __gconv_open (toset=<optimised out>, toset@entry=0x7fd8a901e0 "UTF-16LE//", fromset=<optimised out>, fromset@entry=0x7fd8a901c0 "UTF-8//", handle=handle@entry=0x7fd8a90248, flags=flags@entry=0) at gconv_open.c:282
        size = 32640
        n = <optimised out>
        lastp = <optimised out>
        runp = <optimised out>
        steps = 0x7f7e9d00e0
        nsteps = 2
        result = 0x7f7e990180
        cnt = 0
        res = 0
        conv_flags = 0
        errhand = <optimised out>
        ignore = <optimised out>
        trans = 0x0
#13 0x0000007f801c22ac in iconv_open (tocode=0x7fd8a901e0 "UTF-16LE//", fromcode=0x7fd8a901c0 "UTF-8//") at iconv_open.c:71
        tocode_len = <optimised out>
        tocode_conv = 0x7fd8a901e0 "UTF-16LE//"
        tocode_usealloca = <optimised out>
        fromcode_len = <optimised out>
        fromcode_conv = 0x7fd8a901c0 "UTF-8//"
        fromcode_usealloca = <optimised out>
        cd = 0x7f7e9414e8
        res = <optimised out>
#14 0x0000007f80c0ef44 in xp_iconv_open (to_list=to_list@entry=0x7f83362418 <UTF_16_NAMES>, from_list=from_list@entry=0x7fd8a902d0) at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:175
        res = <optimised out>
        from_name = 0x7fd8a902d0
        to_name = 0x7f83362418 <UTF_16_NAMES>
#15 0x0000007f80c0f0c4 in nsNativeCharsetConverter::LazyInit () at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:338
        native_charset_list = 0x7fd8a902d0
        native_charset = <optimised out>
        dummy_input = ""
        dummy_output = "\324\364\300\200"
        blank_list = {0x7f7dd1730c <error: Cannot access memory at address 0x7f7dd1730c>, 0x0}
#16 0x0000007f80c0f234 in nsNativeCharsetConverter::nsNativeCharsetConverter (this=this@entry=0x7fd8a90320) at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:444
No locals.
#17 0x0000007f80c0f4d4 in NS_CopyNativeToUnicode (aInput=..., aOutput=...) at /build/buildd/firefox-33.0+build2/xpcom/io/nsNativeCharsetUtils.cpp:831
        resultLeft = 24
        buf = 0x7f7e9414e8 "/usr/lib/firefox/omni.ja"
        conv = {static gNativeToUnicode = 0xffffffffffffffff, static gUnicodeToNative = 0xffffffffffffffff, static gLock = 0x0, static gInitialized = false, static gIsNativeUTF8 = true}
        rv = <optimised out>
        result = 0x7fd8a903c8 u""
        bufLeft = 24
#18 0x0000007f80c57064 in net_GetURLSpecFromActualFile (aFile=<optimised out>, result=...) at /build/buildd/firefox-33.0+build2/netwerk/base/src/nsURLHelperUnix.cpp:24
        rv = tag_nsresult::NS_OK
        nativePath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7e9414e8 "/usr/lib/firefox/omni.ja", mLength = 24, mFlags = 65541}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a90468 ""}, mStorage = "\000\000\000\000\000\000\000\000\030A\301~\177\000\000\000\030\000\000\000\000\000\000\000\250O\301~\177\000\000\000\270O\301~\177", '\000' <repeats 12 times>, "\004\000\000\000\000\000\000@@\301~\177\000\000"}
        prefix = {<nsCString> = {<nsACString_internal> = {mData = 0x7f803276c8 "\373B", mLength = 2202120192, mFlags = 127}, <No data fields>}, <No data fields>}
        ePath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7fd8a904c8 "", mLength = 0, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a904c8 ""}, mStorage = "\000NC\203\177\000\000\000\360\032\251\330\177\000\000\000\004OC\203\177\000\000\000\000\b\230~\177\000\000\000\000\b\230~\177\000\000\000\000\004\000\000\000\000\000\000\030\000\000\000\000\000\000\000\bh\261~\177\000\000"}
        path = {<nsFixedString> = {<nsString> = {<nsAString_internal> = {mData = 0x7fd8a903c8 u"", mLength = 24, mFlags = 65553}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a903c8 u""}, mStorage = u"\000\000\000\000$\a\000\000䁀绁\177\000⇨荃\177\000鍔翦\177\000Ѱ\xd8a9\177\000\000纐\177\000䄠绁\177\000鍼翦\177\000\000纘\177\000䁀绁\177\000à纐\177\000\000\001\000\000\000\000\000\000\000\000\000\000䄠绁\177"}
        escPath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7e9807e0 " \a\230~\177", mLength = 60, mFlags = 0}, <No data fields>}, mFixedCapacity = 2125553664, mFixedBuf = 0x7f834350b4 <malloc+52> ""}, mStorage = "\000\004\000\000\000\000\000\000\000\004\000\000\000\000\000\000\260\364\341\177\177\000\000\000\254\267\377}\177\000\000\000\026\270\377}\177\000\000\000\064\367\217~\177\000\000\000$\367\353\200\177\000\000\000\060\r\221~\177\000\000"}
#19 0x0000007f80bcdd30 in mozilla::FileLocation::GetURIString (this=0x7f7e910d40, result=...) at /build/buildd/firefox-33.0+build2/xpcom/build/FileLocation.cpp:99
No locals.
#20 0x0000007f80ec0628 in nsZipArchive::OpenArchive (this=this@entry=0x7f7eb16000, aZipHandle=0x7f7e910d30, aFd=aFd@entry=0x0) at /build/buildd/firefox-33.0+build2/modules/libjar/nsZipArchive.cpp:292
        rv = tag_nsresult::NS_OK
#21 0x0000007f80ec0694 in nsZipArchive::OpenArchive (this=0x7f7eb16000, aFile=<optimised out>, aMustCacheFd=aMustCacheFd@entry=false) at /build/buildd/firefox-33.0+build2/modules/libjar/nsZipArchive.cpp:313
        handle = {mRawPtr = 0x7f7e910d30}
        rv = tag_nsresult::NS_OK
#22 0x0000007f80bce68c in mozilla::Omnijar::InitOne (aPath=<optimised out>, aType=aType@entry=mozilla::Omnijar::GRE) at /build/buildd/firefox-33.0+build2/xpcom/build/Omnijar.cpp:77
        file = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e951590}, <No data fields>}
        isFile = true
        handle = {mRawPtr = 0x7fd8a90708}
        equals = false
        zipReader = {mRawPtr = 0x7f7eb16000}
#23 0x0000007f80bce7c4 in mozilla::Omnijar::Init (aGrePath=<optimised out>, aAppPath=0x7f7e951640) at /build/buildd/firefox-33.0+build2/xpcom/build/Omnijar.cpp:99
No locals.
#24 0x0000007f81c78170 in XRE_InitCommandLine (aArgc=<optimised out>, aArgv=0x7fd8a91c38) at /build/buildd/firefox-33.0+build2/toolkit/xre/nsAppRunner.cpp:4407
        rv = tag_nsresult::NS_OK
        binFile = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e9514e0}, <No data fields>}
        greOmni = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e951590}, <No data fields>}
        canonBinPath = {<nsFixedCString> = {<nsCString> = {<nsACString_internal> = {mData = 0x7f7e9414b8 "/usr/lib/firefox/plugin-container", mLength = 33, mFlags = 65541}, <No data fields>}, mFixedCapacity = 63, mFixedBuf = 0x7fd8a90748 ""}, mStorage = "\000\000\000\000\000\000\000\000\000\270\345\177\177\000\000\000\000\004\000\000\000\000\000\000\320\n\251\330\177\000\000\000\a\000\000\000\000\000\000\000\070\034\251\330\177\000\000\000\b\000\000\000\000\000\000\000\000\000\066\203\177\000\000"}
        path = 0x7fd8a9262c "/usr/lib/firefox/browser/omni.ja"
        ar = <optimised out>
        appOmni = {<nsCOMPtr_base> = {mRawPtr = 0x7f7e951640}, <No data fields>}
#25 0x0000007f81c7b888 in XRE_InitChildProcess (aArgc=7, aArgv=0x7fd8a91c38, aProcess=GeckoProcessType_Content) at /build/buildd/firefox-33.0+build2/toolkit/xre/nsEmbedFunctions.cpp:451
        end = 0x7fd8a92672 ""
        parentHandle = 2244
        exitManager = {lock_ = {lock_ = {os_lock_ = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 47 times>, __align = 0}}}, stack_ = std::stack wrapping: std::deque with 1 elements = {{func_ = 0x7f80d90220 <base::LazyInstance<base::ThreadLocalPointer<NotificationService>, base::DefaultLazyInstanceTraits<base::ThreadLocalPointer<NotificationService> > >::OnExit(void*)>, param_ = 0x7f833c10f8 <_ZL12lazy_tls_ptr>}}, next_manager_ = 0x0}
        rv = <optimised out>
        notificationService = {observers_ = {std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements, std::map with 0 elements}}
        parentPIDString = <optimised out>
        parentPID = <optimised out>
#26 0x0000007f83425f34 in main (argc=8, argv=0x7fd8a91c38) at /build/buildd/firefox-33.0+build2/ipc/app/MozillaRuntimeMain.cpp:147
        proctype = <optimised out>
        rv = <optimised out>
(gdb) 




Expected results:

I did not expect the crash.

Steve Capper

Reporter

Updated

•

10 years ago

Severity: normal → major

Keywords: 64bit

Hardware: x86_64 → Other

Loic

Updated

•

10 years ago

Component: Untriaged → jemalloc

Product: Firefox → Core

Loic

Updated

•

10 years ago

Severity: major → critical

Keywords: crash

Raphaël Hertzog

Comment 1

•

8 years ago

There's a patch available that is in use by some distributions:
https://github.com/archlinuxarm/PKGBUILDs/blob/master/extra/firefox/aarch64-no-static-sizes.patch

BTW, Debian has a similar patch for powerpc:
https://anonscm.debian.org/cgit/pkg-mozilla/iceweasel.git/tree/debian/patches/porting/Make-powerpc-not-use-static-page-sizes-in-mozjemallo.patch

It would be nice to get this fixed.

Makoto Kato [:m_kato]

Assignee

Updated

•

8 years ago

Depends on: 963028

Makoto Kato [:m_kato]

Assignee

Updated

•

8 years ago

Status: UNCONFIRMED → NEW

Ever confirmed: true

Makoto Kato [:m_kato]

Assignee

Comment 2

•

8 years ago

Attached file MozReview Request: Bug 1091515 - Don't set 64KB page size on aarch64. r?glandium — Details

Linux/aarch64 supports vairous page size configuration.

(From https://www.kernel.org/doc/Documentation/arm64/memory.txt)
- 4KB + 3 levels
- 4KB + 4 levels
- 64KB + 2 leves

So we shouldn't set fixed 64KB page size on aarch64.

Review commit: https://reviewboard.mozilla.org/r/44287/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/44287/

Attachment #8738083 - Flags: review?(mh+mozilla)

Makoto Kato [:m_kato]

Assignee

Updated

•

8 years ago

Assignee: nobody → m_kato

Mike Hommey [:glandium]

Updated

•

8 years ago

Attachment #8738083 - Flags: review?(mh+mozilla) → review+

Mike Hommey [:glandium]

Comment 3

•

8 years ago

Comment on attachment 8738083 [details]
MozReview Request: Bug 1091515 - Don't set 64KB page size on aarch64. r?glandium

https://reviewboard.mozilla.org/r/44287/#review41159

Pulsebot

Comment 4

•

8 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/c111173a1b98

Carsten Book [:Tomcat]

Comment 5

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/c111173a1b98

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox48: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla48

Bugzilla

Quick Search

Firefox jemalloc assumes a 64K PAGE_SIZE for AArch64, can cause crashes when running with 4K pages

Categories

(Core :: Memory Allocator, defect)

Tracking

()

People

(Reporter: steve.capper, Assigned: m_kato)

References

Details

(Keywords: 64bit, crash)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Updated

Comment 1

Updated

Updated

Comment 2

Updated

Updated

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type