Closed Bug 1528320 Opened 6 years ago Closed 6 years ago

XDR-decoding can produce incorrect track-record-replay-progress flag

Categories

(Core Graveyard :: Web Replay, defect)

Product:
Core Graveyard
Component:
Web Replay
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox67 fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

Attachments

(1 file, 2 obsolete files)

patch
6.72 KB, patch
tcampbell
: review+
Details | Diff | Splinter Review
Attached patch patch (obsolete) — Splinter Review

When a script is XDR-decoded, its immutable flags (including whether to track record/replay progress) are set to those of the script which did the XDR-encoding. If the XDR-encoded script and XDR-decoded script are in processes with different values for IsRecordingOrReplaying(), we can get either incorrect behavior (progress values not being tracked when they should be) or crashes at null (calling a non-existent function pointer to get the progress counter address). I think this is causing some recent crashes.

The attached patch fixes this by resetting the flag after setting the immutable flags during XDR-decoding.

Attachment #9044237 - Flags: review?(jdemooij)
Comment on attachment 9044237 [details] [diff] [review] patch Review of attachment 9044237 [details] [diff] [review]: ----------------------------------------------------------------- Hm can you make this a mutable flag? Then we need to copy it in CopyScript but we don't need to change XDR and I think it's a bit more idiomatic.
Attachment #9044237 - Flags: review?(jdemooij)

And sorry, I should have realized this :/

Attached patch patch (obsolete) — Splinter Review

Updated patch. I don't think this needs to be updated in CopyScript, because CopyScript doesn't change the script's source object.

Attachment #9044237 - Attachment is obsolete: true
Attachment #9044659 - Flags: review?(jdemooij)

(In reply to Brian Hackett (:bhackett) from comment #3)

I don't think this needs to be updated in CopyScript, because CopyScript doesn't change the script's source object.

CopyScript doesn't copy the mutable flags so if we don't copy the flag explicitly we introduce a difference in behavior.

Thinking about it more, we should also fix the Ion code here to keep TSan from complaining:

https://searchfox.org/mozilla-central/rev/05d4b6962a571585bd679d2bbb0df0a5fb4e4eff/js/src/jit/shared/CodeGenerator-shared.cpp#124

Can you cache this flag on the CompileInfo?

(In reply to Jan de Mooij [:jandem] from comment #4)

(In reply to Brian Hackett (:bhackett) from comment #3)

I don't think this needs to be updated in CopyScript, because CopyScript doesn't change the script's source object.

CopyScript doesn't copy the mutable flags so if we don't copy the flag explicitly we introduce a difference in behavior.

CopyScript operates on a destination script that went through CreateEmptyScriptForClone(), which calls JSScript::Create, which sets the TrackRecordReplayProgress flag. The source object used in this path (which affects whether the flag is set) is the one which the script will ultimately have, so the flag should already be set correctly by the time we get to CopyScript.

Thinking about it more, we should also fix the Ion code here to keep TSan from complaining:

https://searchfox.org/mozilla-central/rev/05d4b6962a571585bd679d2bbb0df0a5fb4e4eff/js/src/jit/shared/CodeGenerator-shared.cpp#124

Can you cache this flag on the CompileInfo?

I guess so, but I'm starting to feel that the original patch I wrote is the best fix here.

Comment on attachment 9044237 [details] [diff] [review] patch Asking r? for this patch again. This crash is affecting users and it would be nice to get this fix into the tree, which is the most direct way of addressing the problem. I also feel that despite modifying XDR, this is the fix which best characterizes the issue being addressed. TrackRecordReplayProgress is an immutable property of a script, and should be in its immutable flags. The issue is that unlike other immutable flags on the script, it is not valid to save/restore to a script in another process via XDR.
Attachment #9044237 - Flags: review?(jdemooij)
Attachment #9044237 - Attachment is obsolete: false
Attachment #9044659 - Attachment is obsolete: true
Attachment #9044659 - Flags: review?(jdemooij)
Comment on attachment 9044237 [details] [diff] [review] patch Ted is doing a lot of XDR/CopyScript cleanup these days so I'll forward to him.
Attachment #9044237 - Flags: review?(jdemooij) → review?(tcampbell)

In Bug 1525505, we fixed the issue of calling JSScript::Create with a bogus SSO. I believe that now that this is done, the best fix for this recordreplay bug is to simply move the |TrackRecordReplayProgress| flag to be a MutableFlag. The JSScript::Create function will compute the flag based on the SSO each time, and it will not be unnecessarily copied by XDR.

I'd like to maintain that ImmutableFlags are flags that are XDR-safe and be part of the input of an eventual pure parsing function.

In Bug 1525924, I've reworked the XDRScript code.
In Bug 1528964, I've reworked the CopyScript code.

Depends on: 1525505

Brian, with Bug 1525502 landed, does simply changing TrackRecordReplayProgress to MutableFlags fix the bug?

Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review

This patch makes TrackRecordReplayProgress a mutable flag, though I hesitate to call it simple.

Attachment #9044237 - Attachment is obsolete: true
Attachment #9044237 - Flags: review?(tcampbell)
Flags: needinfo?(bhackett1024)
Attachment #9045449 - Flags: review?(tcampbell)
Comment on attachment 9045449 [details] [diff] [review] patch Review of attachment 9045449 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for making the change! I mistakenly assumed the MutableFlag support in JIT was already implemented. This will also save me from introducing more regressions here as I wrangle JSScript/LazyScript/XDRScript/CopyScript to stop having subtle variations in behaviour.
Attachment #9045449 - Flags: review?(tcampbell) → review+
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/133c2fc80e9c Ensure correct record/replay progress flag after XDR-decoding a script, r=tcampbell.
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/241d2964ae96 Ensure correct record/replay progress flag after XDR-decoding a script, r=tcampbell.

https://hg.mozilla.org/mozilla-central/rev/241d2964ae96

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Flags: needinfo?(bhackett1024)
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: