Closed
Bug 1450790
Opened 6 years ago
Closed 6 years ago
ASAN use-after-poison violation in WeakCollection_finalize()
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla61
People
(Reporter: jesup, Assigned: jandem)
References
Details
(Keywords: regression)
Attachments
(1 file)
1.05 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
When starting FF in a debug ASAN build, I hit use-after-poison in WeakCollection_finalize() (it likely doesn't matter, but I'm recovering from a crash and it puts up the sessionrestore query, then crashes). Per jan, this is because we attempt to poison the memory there after calling Poison(this, JS_FREED_HEAP_PTR_PATTERN, sizeof(*this), MemCheckKind::MakeNoAccess); in ~GCPtr() Fallout from bug 1448589. We don't test Debug ASAN builds on Treeherder.... :-(
Assignee | ||
Comment 1•6 years ago
|
||
I do want to understand why we don't see this on shell tests or in fuzzing.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 2•6 years ago
|
||
FWIW we don't see this on ASan builds on Try even if I enable ~GCPtr in all builds.
Assignee | ||
Comment 3•6 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2) > FWIW we don't see this on ASan builds on Try even if I enable ~GCPtr in all > builds. Actually for this to work I also have to make the #ifdef DEBUG code in WeakCollection_finalize work in opt builds. Will try that too...
Assignee | ||
Comment 4•6 years ago
|
||
WeakCollection_finalize implements its own poisoning in DEBUG builds, but that seems unnecessary: the fop->free_ after that will call into jemalloc which does its own poisoning.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8964553 -
Flags: review?(sphink)
Comment 5•6 years ago
|
||
Comment on attachment 8964553 [details] [diff] [review] Patch Review of attachment 8964553 [details] [diff] [review]: ----------------------------------------------------------------- The poisoning dates from bug 641025, incremental GC. jemalloc has always poisoned, I thought?
Attachment #8964553 -
Flags: review?(sphink) → review+
Reporter | ||
Comment 6•6 years ago
|
||
> The poisoning dates from bug 641025, incremental GC. jemalloc has always
> poisoned, I thought?
We don't/didn't always use jemalloc
Comment 7•6 years ago
|
||
(In reply to Steve Fink [:sfink] [:s:] from comment #5) > The poisoning dates from bug 641025, incremental GC. jemalloc has always > poisoned, I thought? IGC was in 2012. We didn't enable jemalloc poisoning until bug 860254, which landed in 2014.
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e4329ee32328 Remove redundant poisoning in DEBUG builds in WeakCollection_finalize. r=sfink
Comment 9•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e4329ee32328
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox61:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment 10•6 years ago
|
||
Doesn't sound like this needs backporting, but feel free to nominate it if that's wrong.
You need to log in
before you can comment on or make changes to this bug.
Description
•