Closed Bug 1691384 Opened 5 years ago Closed 5 years ago

Assertion failure: diff == regind * size, at /builds/firefox-78.7.0/memory/build/mozjemalloc.cpp:2195

Categories

(Core :: Memory Allocator, defect)

Product:
Core
Component:
Memory Allocator
Version:
78 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr78 87+ fixed
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected

People

(Reporter: petr.sumbera, Assigned: Gankra)

Details

Attachments

(1 file, 1 obsolete file)

Bug 1691384 - Update esr78's thin-vec to 0.1.2 for correct heap usage. r?glandium
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Steps to reproduce:

I'm filing this against 78 branch but I believe it might be general issue (Trunk).

I have got following assertion on Solaris SPARC(!) with one specific profile:

Assertion failure: diff == regind * size, at /builds/firefox-78.7.0/memory/build/mozjemalloc.cpp:2195

The code is (https://searchfox.org/mozilla-esr78/source/memory/build/mozjemalloc.cpp#2195):

MOZ_DIAGNOSTIC_ASSERT(diff == regind * size);

Where:

arena_run_reg_dalloc(arena_run_t* run, arena_bin_t* bin, void* ptr, size_t size)
arena_run_reg_dalloc(0x7cbc8d838000, 0x7cbc9ed00288, 0x7cbc8d839760, 144)

diff = (unsigned)((uintptr_t)ptr - (uintptr_t)run - bin->mRunFirstRegionOffset)
diff = 0x7cbc8d839760 - 0x7cbc8d838000 - 128
diff = 5856

mozilla::IsPowerOfTwo(size)
mozilla::IsPowerOfTwo(144)
false

size <= ((sizeof(size_invs) / sizeof(unsigned)) * kQuantum) + 2
144 <= ((116 / 4) * 16) + 2
144 <= 466
true

regind = size_invs[(size / kQuantum) - 3] * diff
regind = size_invs[(144 / 16) - 3] * 5856
regind = size_invs[6] * 5856
regind = 14564 * 5856
regind = 85286784

regind >>= SIZE_INV_SHIFT
regind >>= 21
regind = 40

MOZ_DIAGNOSTIC_ASSERT(diff == regind * size)
MOZ_DIAGNOSTIC_ASSERT(5856 == 40*144)
MOZ_DIAGNOSTIC_ASSERT(5856 == 5760) !!!

The profile was specific with following modification to:

"~/.mozilla/firefox/er8nx33z.default-esr/prefs.js"

There was added this line:

user_pref("intl.locale.requested", "cs,en-US");

While this might be something wrong to do I wonder how it can hit some fundamental assertion. Is the assertion right?

Mike, with your expertise can I have please your comment/thought on this? Thank you!

Flags: needinfo?(mh+mozilla)

This assert usually means the pointer that was passed to free() is not a pointer that was returned verbatim by malloc(). In rare cases, it can also mean a free() on a pointer that was previously free()d, where the underlying page was reassigned to a different allocation size because it was emptied by that free.

Flags: needinfo?(mh+mozilla)

I really see this with Firefox 78 (SPARC) only. Latest trunk is fine. And it really seems that memory is corrupted. When I comment it out I soon hit another assertion:

https://searchfox.org/mozilla-esr78/source/intl/locale/LocaleService.cpp#614

MOZ_ASSERT(mIsServer, "This should only be called in the server mode.");

Where mIsServer bool is 229!?

The stack I see is:

#0  0x00007ba61cb730f8 in arena_run_reg_dalloc(arena_run_t*, arena_bin_t*, void*, unsigned long) ()
#1  0x00007ba61cb783cc in arena_t::DallocSmall(arena_chunk_t*, void*, arena_chunk_map_t*) ()
#2  0x00007ba61cb78ebc in arena_dalloc(void*, unsigned long, arena_t*) ()
#3  0x00007ba61cb7cb78 in BaseAllocator::free(void*) ()
#4  0x00007ba61cb7c280 in Allocator<MozJemallocBase>::free(void*) ()
#5  0x00007ba61cb7ee2c in Allocator<ReplaceMallocBase>::free(void*) ()
#6  0x00007ba61cb7fd4c in free ()
#7  0x00007ba5fb9d8d24 in nsTArrayInfallibleAllocator::Free(void*) (aPtr=0x7ba5eee39be0)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/build/sparcv9/dist/include/nsTArray.h:251
#8  0x00007ba5fb9f2390 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::~nsTArray_base() (this=0x7e39c6d22240, __in_chrg=<optimized out>)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/build/sparcv9/dist/include/nsTArray-inl.h:19
#9  0x00007ba5fbaa3c98 in nsTArray_Impl<nsTString<char>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() (this=0x7e39c6d22240, __in_chrg=<optimized out>)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/build/sparcv9/dist/include/nsTArray.h:985
#10 0x00007ba5fba8f65c in nsTArray<nsTString<char> >::~nsTArray() (this=0x7e39c6d22240, __in_chrg=<optimized out>)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/build/sparcv9/dist/include/nsTArray.h:2553
#11 0x00007ba5fbecffcc in mozilla::intl::LocaleService::LocalesChanged() (this=0x7ba5eee39b80)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/intl/locale/LocaleService.cpp:225
#12 0x00007ba5fbed25f8 in mozilla::intl::LocaleService::SetAvailableLocales(nsTArray<nsTString<char> > const&) (this=0x7ba5eee39b80, aAvailable=...)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/intl/locale/LocaleService.cpp:635
#13 0x00007ba5fbd63000 in NS_InvokeByIndex ()
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_sparc64_openbsd.s:80
#14 0x00007ba5fd5682c8 in CallMethodHelper::Invoke() (this=0x7e39c6d22708)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/js/xpconnect/src/XPCWrappedNative.cpp:1618
#15 0x00007ba5fd56586c in CallMethodHelper::Call() (this=0x7e39c6d22708)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/js/xpconnect/src/XPCWrappedNative.cpp:1174
#16 0x00007ba5fd56563c in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (ccx=..., mode=XPCWrappedNative::CALL_SETTER)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/js/xpconnect/src/XPCWrappedNative.cpp:1140
#17 0x00007ba5fd542f8c in XPCWrappedNative::SetAttribute(XPCCallContext&) (ccx=...)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/js/xpconnect/src/xpcprivate.h:1452
#18 0x00007ba5fd573520 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) (cx=0x7ba613234000, argc=1, vp=0x7e39c6d22ff0)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:977
#19 0x00007ba604c0c440 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) () at /usr/lib/firefox/libxul.so
#20 0x00007ba604c0d19c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) () at /usr/lib/firefox/libxul.so
#21 0x00007ba604c0d86c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) () at /usr/lib/firefox/libxul.so
#22 0x00007ba604c0d9a0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
    at /usr/lib/firefox/libxul.so
#23 0x00007ba604c0ebdc in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) () at /usr/lib/firefox/libxul.so
#24 0x00007ba60520833c in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) () at /usr/lib/firefox/libxul.so
#25 0x00007ba605208580 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) () at /usr/lib/firefox/libxul.so
#26 0x00007ba604bfcb64 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&)
    () at /usr/lib/firefox/libxul.so
#27 0x00007ba604c0a8fc in SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, int, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>) ()
    at /usr/lib/firefox/libxul.so
#28 0x00007ba604c1fd78 in Interpret(JSContext*, js::RunState&) () at /usr/lib/firefox/libxul.so
#29 0x00007ba604c0c16c in js::RunScript(JSContext*, js::RunState&) () at /usr/lib/firefox/libxul.so
#30 0x00007ba604c0d3c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) () at /usr/lib/firefox/libxul.so
#31 0x00007ba604c0d86c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) () at /usr/lib/firefox/libxul.so
#32 0x00007ba604c0d9a0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
    at /usr/lib/firefox/libxul.so
#33 0x00007ba6050bcfe4 in js::fun_call(JSContext*, unsigned int, JS::Value*) () at /usr/lib/firefox/libxul.so
#34 0x00007ba604c0c440 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) () at /usr/lib/firefox/libxul.so
#35 0x00007ba604c0d19c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) () at /usr/lib/firefox/libxul.so
#36 0x00007ba604c0d86c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) () at /usr/lib/firefox/libxul.so
#37 0x00007ba604c0d8d4 in js::CallFromStack(JSContext*, JS::CallArgs const&) () at /usr/lib/firefox/libxul.so
#38 0x00007ba604c21db0 in Interpret(JSContext*, js::RunState&) () at /usr/lib/firefox/libxul.so
#39 0x00007ba604c0c16c in js::RunScript(JSContext*, js::RunState&) () at /usr/lib/firefox/libxul.so
#40 0x00007ba604c0d3c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) () at /usr/lib/firefox/libxul.so
#41 0x00007ba604c0d86c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) () at /usr/lib/firefox/libxul.so
#42 0x00007ba604c0d9a0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
    at /usr/lib/firefox/libxul.so
#43 0x00007ba6050bd70c in js::fun_apply(JSContext*, unsigned int, JS::Value*) () at /usr/lib/firefox/libxul.so
#44 0x00007ba604c0c440 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) () at /usr/lib/firefox/libxul.so
#45 0x00007ba604c0d19c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) () at /usr/lib/firefox/libxul.so
#46 0x00007ba604c0d86c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) () at /usr/lib/firefox/libxul.so
#47 0x00007ba604c0d8d4 in js::CallFromStack(JSContext*, JS::CallArgs const&) () at /usr/lib/firefox/libxul.so
#48 0x00007ba604c21db0 in Interpret(JSContext*, js::RunState&) () at /usr/lib/firefox/libxul.so
#49 0x00007ba604c0c16c in js::RunScript(JSContext*, js::RunState&) () at /usr/lib/firefox/libxul.so
#50 0x00007ba604c0d3c8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) () at /usr/lib/firefox/libxul.so
#51 0x00007ba604c0d86c in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) () at /usr/lib/firefox/libxul.so
#52 0x00007ba604c0d9a0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
    at /usr/lib/firefox/libxul.so
#53 0x00007ba604dc7320 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) ()
    at /usr/lib/firefox/libxul.so
#54 0x00007ba5fd55ce0c in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*)
    (this=0x7ba5eee61c80, methodIndex=3, info=0x7ba5f9bbb9b4 <xpt::detail::sMethods+28912>, nativeParams=0x7e39c6d26908)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/js/xpconnect/src/XPCWrappedJSClass.cpp:963
#55 0x00007ba5fbd5fe2c in PrepareAndDispatch(nsXPTCStubBase*, uint64_t, uint64_t*) (self=0x7ba5e9a25720, methodIndex=3, args=0x7e39c6d26b98)
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/xpcom/reflect/xptcall/md/unix/xptcstubs_sparc64_openbsd.cpp:79
#56 0x00007ba5fbd63044 in SharedStub ()
    at /builds/psumbera/userland-ff-lang/components/desktop/firefox/firefox-78.7.0/xpcom/reflect/xptcall/md/unix/xptcstubs_asm_sparc64_openbsd.s:41

The Bugbug bot thinks this bug should belong to the 'Core::Memory Allocator' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Memory Allocator
Product: Firefox → Core

Is ASan available on sparc solaris?

Component: Memory Allocator → Untriaged
Product: Core → Firefox

There is no ASan on Solaris SPARC.

To provide more context. The assertion is hit when handling C++ destructor for:

nsTArray<nsCString> newLocales;

in: https://searchfox.org/mozilla-esr78/source/intl/locale/LocaleService.cpp#194

The important thing seems to be that values are added in Rust:

result.push(l.source.clone());

in https://searchfox.org/mozilla-esr78/source/intl/locale/rust/fluent-langneg-ffi/src/lib.rs#77

Notes:

In C++ it seems to ultimately call mozjemalloc when allocation new elements via:
https://searchfox.org/mozilla-esr78/source/xpcom/ds/nsTArray-inl.h#141

In Rust it seems directly call libc malloc:
https://searchfox.org/mozilla-esr78/source/third_party/rust/thin-vec/src/lib.rs#677

I wonder whether there cannot be some collision where original allocation is done using mozjemalloc and then it's reallocated using libc malloc?!

Nice find. I guess this is not causing problems on tier-1 platforms by linker luck, essentially. This doesn't affect thin-vec 0.2, which we're now using on mozilla-central.
Gankra, would you mind releasing a 0.1.1 with changes to heap.rs to use std::alloc instead of libc, and update esr78 with that?

Flags: needinfo?(a.beingessner)
Assignee: nobody → a.beingessner
Flags: needinfo?(a.beingessner)

Thank you! I can confirm that applying changes from 1654807 resolved my original issue.

Note that I also tried not to use '--enable-replace-malloc' which seemed to make difference too.

Can this be closed as resolved:works for me?

Best,
Clara

Flags: needinfo?(petr.sumbera)

I expect that this bug will be closed once https://phabricator.services.mozilla.com/D106668 is pushed.

But generally I'm ok to close it.

Flags: needinfo?(petr.sumbera)
Attachment #9205787 - Attachment is obsolete: true

Comment on attachment 9206811 [details]
Bug 1691384 - Update esr78's thin-vec to 0.1.2 for correct heap usage. r?glandium

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Because it predates Rust stabilizing a lot of its allocator APIs, thin-vec directly called into the libc allocator, rather than using the one Rust was configured to use. On most platforms this was fine because those symbols unified but on Solaris SPARC this is not the case.

As a result, an nsTArray that was converted into a ThinVec (as designed) could have its memory allocated by one allocator and freed by another, which is a big No No.

While we have other crates in our tree also using libc's allocator directly (and perhaps should be changed), ThinVec is uniquely bad because it's designed to transparently bridge between nsTArray.

  • User impact if declined: Solaris SPARC users will still have messed up allocations that cause crashes.
  • Fix Landed on Version: 82 (via updating to thin-vec 0.2.1)
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This doesn't change the design of thin-vec, just which allocator it uses internally.
  • String or UUID changes made by this patch:
Attachment #9206811 - Flags: approval-mozilla-esr78?
status-firefox86: --- → unaffected
status-firefox87: --- → unaffected
status-firefox88: --- → unaffected
status-firefox-esr78: --- → affected
tracking-firefox-esr78: --- → 87+
Component: Untriaged → Memory Allocator
Product: Firefox → Core

Comment on attachment 9206811 [details]
Bug 1691384 - Update esr78's thin-vec to 0.1.2 for correct heap usage. r?glandium

Approved for 78.9esr.

Attachment #9206811 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

Just for record. I still see the issue with Firefox 78.9.0. Not sure what exactly is wrong. But thin-vec 0.1.2 in ESR doesn't seem to be exactly what is in trunk.

I still need to apply following patch (which makes thin-vec 1:1 to what is in Firefox trunk):
https://github.com/oracle/solaris-userland/blob/master/components/desktop/firefox/patches/SPARC-LocaleService.patch

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: