Closed Bug 1561832 Opened 1 year ago Closed 1 year ago

Nursery poisoning (and asan calls) are inconsistent with nursery sizing


(Core :: JavaScript: GC, defect, P1)




Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- fixed


(Reporter: pbone, Assigned: pbone)




(Keywords: regression)


(1 file)

During a minor GC the following operations occur.

  • ..actual collection..
  • clear()
    ** poison the allocated ranges of all chunks, this also marks them as inaccessable for asan.
    ** set the current chunk and current position to the 1st chunk and start() of that chunk.
    *** this re-poisons with the init pattern and marks the may-be accessed area of the first chunk as uninitialised.
  • maybeResizeNursery()
    ** Choose new size and set the capacity_ and currentEnd_ members.

Note that the new size might be more than the re-poisioned and marked-valid area in the previous step. But this never causes an asan failure because the first time the chunk it setup it is set as completely uninitialised, regardless of how much of that chunk we will actually use. Regardless of what resizes the nursery goes through it will now never access inaccessable memory, nevertheless this ought to be fixed and will help with getting asan right in Bug 1506733.

This allows us to run the poisoning code after resizing the nursery,
ensuring that the correct region of that chunk is poisoned, fixing the bug.

This also simplifies the logic around how much of the nursery to poison, we
always poison the valid region of the nursery regardless of how much was
used (removing an earlier optimisation).

Depends on D36314

Interesting, I'm seeing some asan failures on try:

I wonder if this is a problem with my patch or they're existing problems that are now getting detected. I'll find out on Monday.

Blocks: 1562550
Blocks: 1562551
Pushed by
Separate setting the current chunk from poisoning it r=jonco
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.