Closed
Bug 1339677
Opened 8 years ago
Closed 8 years ago
Add sanity checks to debug MozPromise crashes
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: jwwang, Assigned: jwwang)
References
Details
Attachments
(6 files)
59 bytes,
text/x-review-board-request
|
mozbugz
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
mozbugz
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
mozbugz
:
review+
|
Details |
59 bytes,
text/x-review-board-request
|
mozbugz
:
review+
|
Details |
13.58 KB,
patch
|
jwwang
:
review+
lizzard
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
13.64 KB,
patch
|
jwwang
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
See bug 1338025. We want to add some checks to clarify if this is a MozPromise bug or some memory corruption.
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → jwwang
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•8 years ago
|
Attachment #8837897 -
Flags: review?(gsquelart)
Attachment #8837898 -
Flags: review?(gsquelart)
Attachment #8837899 -
Flags: review?(gsquelart)
Attachment #8837900 -
Flags: review?(gsquelart)
Comment 5•8 years ago
|
||
mozreview-review |
Comment on attachment 8837897 [details]
Bug 1339677. Part 1 - assert DoResolveOrReject() is called on the target thread and use stronger assertions.
https://reviewboard.mozilla.org/r/112894/#review114386
Attachment #8837897 -
Flags: review?(gsquelart) → review+
Comment 6•8 years ago
|
||
mozreview-review |
Comment on attachment 8837897 [details]
Bug 1339677. Part 1 - assert DoResolveOrReject() is called on the target thread and use stronger assertions.
https://reviewboard.mozilla.org/r/112894/#review114390
Will you uplift the new MOZ_DIAGNOSTIC_ASSERT's? (Since they would be more useful in Aurora and Beta)
Comment 7•8 years ago
|
||
mozreview-review |
Comment on attachment 8837898 [details]
Bug 1339677. Part 2 - some code cleanup and remove unnecessary scope qualifiers.
https://reviewboard.mozilla.org/r/112896/#review114392
Attachment #8837898 -
Flags: review?(gsquelart) → review+
Comment 8•8 years ago
|
||
mozreview-review |
Comment on attachment 8837899 [details]
Bug 1339677. Part 3 - add some sanity checks.
https://reviewboard.mozilla.org/r/112898/#review114396
r+ with suggestions:
::: xpcom/threads/MozPromise.h:428
(Diff revision 1)
> }
> }
>
> RefPtr<AbstractThread> mResponseTarget; // May be released on any thread.
> +#ifdef PROMISE_DEBUG
> + uint32_t mMagic1 = 0xdeadbeef;
0xDEADBEEF is usually used to indicate dead memory, but here you're using it as a "live" indicator.
More seriously, it's used elsewhere in our code to poison memory, so in the worst case your tests could pass when the promise has been deliberately overwritten with DEADBEEFs!
So I would suggest using another random value, through a constant.
I would also suggest you implement destructors that set these members to a different special value, to catch UAFs when the promise's memory has not (yet) been overwritten.
Attachment #8837899 -
Flags: review?(gsquelart) → review+
Comment 9•8 years ago
|
||
mozreview-review |
Comment on attachment 8837900 [details]
Bug 1339677. Part 4 - check if mMutex.mLock is tampered.
https://reviewboard.mozilla.org/r/112900/#review114398
r+ with suggestion:
::: xpcom/threads/Mutex.h:32
(Diff revision 1)
> +template<typename, typename, bool>
> +class MozPromise;
I believe you don't actually need to forward-declare MozPromise here, the friend declaration inside OffTheBooksMutex should be enough.
Attachment #8837900 -
Flags: review?(gsquelart) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 14•8 years ago
|
||
Thanks for the review!
Comment 15•8 years ago
|
||
Pushed by jwwang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/241efbf6fcc9
Part 1 - assert DoResolveOrReject() is called on the target thread and use stronger assertions. r=gerald
https://hg.mozilla.org/integration/autoland/rev/dc5b70d15e11
Part 2 - some code cleanup and remove unnecessary scope qualifiers. r=gerald
https://hg.mozilla.org/integration/autoland/rev/d1807b8f31dc
Part 3 - add some sanity checks. r=gerald
https://hg.mozilla.org/integration/autoland/rev/df87366fda49
Part 4 - check if mMutex.mLock is tampered. r=gerald
Comment 16•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/241efbf6fcc9
https://hg.mozilla.org/mozilla-central/rev/dc5b70d15e11
https://hg.mozilla.org/mozilla-central/rev/d1807b8f31dc
https://hg.mozilla.org/mozilla-central/rev/df87366fda49
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox54:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Assignee | ||
Comment 17•8 years ago
|
||
Approval Request Comment
[Feature/Bug causing the regression]:1339677
[User impact if declined]: a debugging patch for bug 1257921
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]:none
[Is the change risky?]:no
[Why is the change risky/not risky?]:This patch adds some assertions to detect memory corruption and doesn't any functionality.
[String changes made/needed]:
Attachment #8838396 -
Flags: review+
Attachment #8838396 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 18•8 years ago
|
||
Approval Request Comment
[Feature/Bug causing the regression]:1339677
[User impact if declined]:a debugging patch for bug 1257921
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]:none
[Is the change risky?]:no
[Why is the change risky/not risky?]:This patch adds some assertions to detect memory corruption and doesn't any functionality.
[String changes made/needed]:none
Attachment #8838397 -
Flags: review+
Attachment #8838397 -
Flags: approval-mozilla-beta?
Comment 19•8 years ago
|
||
Comment on attachment 8838396 [details] [diff] [review]
1339677_aurora_fix.patch
Should be helpful for crash diagnosis, let's uplift.
Attachment #8838396 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 20•8 years ago
|
||
Comment on attachment 8838397 [details] [diff] [review]
1339677_beta_fix.patch
A little scary but let's take this for beta 8 to help with crash diagnosis.
Attachment #8838397 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 21•8 years ago
|
||
bugherder uplift |
status-firefox53:
--- → fixed
Comment 22•8 years ago
|
||
bugherder uplift |
status-firefox52:
--- → fixed
Comment 23•8 years ago
|
||
bugherder uplift |
status-firefox-esr52:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•