Crash [@ js::jit::ExecutableAllocator::reprotectPool] should use AutoEnterOOMUnsafeRegion instead of MOZ_CRASH
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | unaffected |
firefox70 | --- | unaffected |
firefox71 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
We sometimes hit crashes in the ExecutableAllocator that seem to indicate that we are OOMing. The current implementation has a MOZ_CRASH()
call in place, it should probably use AutoEnterOOMUnsafeRegion
instead so the fuzzers will ignore the crash entirely.
The specific line that we are crashing at is here:
Comment 2•5 years ago
|
||
While I agree that this is an OOM and not a crash I want to share what I learned when abusing mprotect calls on LifoAlloc buffers:
- Linux reports an OOM properly.
- Windows reports that arguments are incorrect.
- Mac crashes within mprotect.
Thus, if we see frequent cases of these crashes in crash stat, we should probably look at a different way to handle the granularity of mprotect calls, to avoid having too much fragmentation.
Maybe a work-around or fallback would be to split our reserved space in N chunks of multiple MB to avoid the fragmentation.
Assignee | ||
Comment 3•5 years ago
|
||
mprotect is fallible and this makes it easier for fuzzers to deal with.
Assignee | ||
Updated•5 years ago
|
Comment 5•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Updated•5 years ago
|
Description
•