Closed
Bug 1471589
Opened 6 years ago
Closed 6 years ago
Check that we do not insert overlapping memory regions in diagnostic builds.
Categories
(Core :: JavaScript Engine, enhancement)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla63
People
(Reporter: nbp, Assigned: nbp)
References
Details
(Keywords: sec-want, Whiteboard: [post-critsmash-triage][adv-main63-])
Attachments
(1 file)
1.82 KB,
patch
|
tcampbell
:
review+
|
Details | Diff | Splinter Review |
(reasoning in Bug 1263794 comment 34) LifoAlloc is registering memory regions in the Memory Protection mechanism, we want to double check that we do not insert multiple memory regions with the same addresses. Memory regions are being registered by the BumpChunk constructor and remove by the BumpChunks destructor. BumpChunk lifetime is handle only with UniquePtr classes. Therefore, if this assertion happens in the wild, it would imply that we have live allocations with overlapping memory ranges.
Assignee | ||
Comment 1•6 years ago
|
||
Attachment #8988156 -
Flags: review?(tcampbell)
Comment 2•6 years ago
|
||
Comment on attachment 8988156 [details] [diff] [review] Ensure that range do not overlap in diagnostic builds. Review of attachment 8988156 [details] [diff] [review]: ----------------------------------------------------------------- Good idea
Attachment #8988156 -
Flags: review?(tcampbell) → review+
Assignee | ||
Comment 3•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/77d45de84983
Assignee | ||
Comment 4•6 years ago
|
||
We should see this assertion with the following crash-stat search: https://crash-stats.mozilla.com/search/?moz_crash_reason=~cmp&date=%3E%3D2018-06-20T15%3A03%3A55.000Z&date=%3C2018-09-30T15%3A03%3A00.000Z&page=1&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Comment 5•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/77d45de84983
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•6 years ago
|
status-firefox61:
--- → wontfix
status-firefox62:
--- → wontfix
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Assignee | ||
Comment 6•6 years ago
|
||
Since the last 16 days, this assertion triggered only twice on Nightlies (Mac & Windows). Unfortunately, it is unexpected to produce any more crashes since the memory protection (Bug 1437600) is going away. The last crash [1], on Windows, reports that we had already allocated a 12k BumpChunk, and that we are trying to register a new allocation aligned at the same address with a size of 4k. So jemalloc does provide twice the same pointer, but we have no way to know if these is a wrong-ptr free or double free. However, the frequency of this issue is not enough to explain what is observed in LifoAlloc issues. [1] https://crash-stats.mozilla.com/report/index/f1f1378e-a069-4596-907e-1b9ee01807202
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63-]
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•