Closed Bug 1561832 Opened 5 years ago Closed 5 years ago

Nursery poisoning (and asan calls) are inconsistent with nursery sizing

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla69

Tracking Flags:

Tracking

Status

firefox-esr60

---

unaffected

firefox-esr68

---

wontfix

firefox68

---

wontfix

firefox69

---

fixed

People

(Reporter: pbone, Assigned: pbone)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1561832 - Separate setting the current chunk from poisoning it r=jonco 5 years ago Paul Bone [:pbone] 47 bytes, text/x-phabricator-request		Details \| Review

Paul Bone [:pbone]

Assignee

Description

•

5 years ago

During a minor GC the following operations occur.

..actual collection..
clear()
** poison the allocated ranges of all chunks, this also marks them as inaccessable for asan.
** set the current chunk and current position to the 1st chunk and start() of that chunk.
*** this re-poisons with the init pattern and marks the may-be accessed area of the first chunk as uninitialised.
maybeResizeNursery()
** Choose new size and set the capacity_ and currentEnd_ members.

Note that the new size might be more than the re-poisioned and marked-valid area in the previous step. But this never causes an asan failure because the first time the chunk it setup it is set as completely uninitialised, regardless of how much of that chunk we will actually use. Regardless of what resizes the nursery goes through it will now never access inaccessable memory, nevertheless this ought to be fixed and will help with getting asan right in Bug 1506733.

Paul Bone [:pbone]

Assignee

Comment 1

•

5 years ago

Attached file Bug 1561832 - Separate setting the current chunk from poisoning it r=jonco — Details

This allows us to run the poisoning code after resizing the nursery,
ensuring that the correct region of that chunk is poisoned, fixing the bug.

This also simplifies the logic around how much of the nursery to poison, we
always poison the valid region of the nursery regardless of how much was
used (removing an earlier optimisation).

Depends on D36314

Paul Bone [:pbone]

Assignee

Comment 2

•

5 years ago

Interesting, I'm seeing some asan failures on try:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=69e9c25d9dde7f3f4a215aa6c29a683a9c4b3224&selectedJob=253918619

I wonder if this is a problem with my patch or they're existing problems that are now getting detected. I'll find out on Monday.

Paul Bone [:pbone]

Assignee

Updated

•

5 years ago

Blocks: 1562550

Paul Bone [:pbone]

Assignee

Updated

•

5 years ago

Blocks: 1562551

Pulsebot

Comment 3

•

5 years ago

Pushed by pbone@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/75e28014a6bb
Separate setting the current chunk from poisoning it r=jonco

Raul Gurzau (:RaulG)

Comment 4

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/75e28014a6bb

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox69: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla69

Ryan VanderMeulen [:RyanVM]

Updated

•

5 years ago

status-firefox68: --- → wontfix

status-firefox-esr60: --- → unaffected

status-firefox-esr68: --- → wontfix

BugBot [:suhaib / :marco/ :calixte]

Updated

•

2 years ago

Has Regression Range: --- → yes

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Nursery poisoning (and asan calls) are inconsistent with nursery sizing

Categories

(Core :: JavaScript: GC, defect, P1)

Tracking

()

People

(Reporter: pbone, Assigned: pbone)

References

(Regression)

Details

(Keywords: regression)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Comment 4

Updated

Updated

Attachment

General

Description

File Name

Content Type