Closed Bug 1941728 Opened 1 month ago Closed 1 month ago

Crash [@ js::gc::MapAlignedPages] or Assertion failure: length % pageSize == 0, at gc/Memory.cpp:469

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 + fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Opt stack
2.34 KB, text/plain
Details
ASan stack
3.10 KB, text/plain
Details
Bug 1941728 - Increase the granularity of large buffer allocations to 1MB r?sfink
48 bytes, text/x-phabricator-request
Details | Review
Attached file Opt stack 
var x = [];
for (let i = 0; i < 9999999; i++) {
  x.push(0);
}

Debug stack:

(gdb) bt
#0  js::gc::MapAlignedPages (length=length@entry=16781312, alignment=alignment@entry=1048576, stallAndRetry=<optimized out>)
    at /home/m1ubu/trees/mozilla-central/js/src/gc/Memory.cpp:469
#1  0x0000aaaaad1c9a40 in js::gc::BufferAllocator::allocLarge (this=0xfffff6b2c710, bytes=<optimized out>, nurseryOwned=true, inGC=false)
    at /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator.cpp:2279
#2  0x0000aaaaad1c9928 in js::gc::BufferAllocator::alloc (this=<optimized out>, this@entry=0xfffff6b2c710, bytes=<optimized out>, bytes@entry=16781256,
    nurseryOwned=<optimized out>) at /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator.cpp:592
#3  0x0000aaaaad1cadd4 in js::gc::BufferAllocator::realloc (this=0xfffff6b2c710, ptr=0x317e10000038, bytes=16781256, nurseryOwned=true)
    at /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator.cpp:686
#4  0x0000aaaaad2995f0 in js::gc::ReallocBuffer (zone=0xfffff6b2c000, alloc=0x317e10000038, bytes=16781256, nurseryOwned=true)
    at /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator-inl.h:52
#5  js::Nursery::reallocateBuffer (this=0xfffff6c529d0, zone=0xfffff6b2c000, cell=<optimized out>, oldBuffer=0x317e10000038, oldBytes=16777160, newBytes=16781256)
    at /home/m1ubu/trees/mozilla-central/js/src/gc/Nursery.cpp:929
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d95fadc5b8ff
user:        Jon Coppeard
date:        Tue Jan 07 18:13:34 2025 +0000
summary:     Bug 1934856 - Part 2: Use buffer allocator for JSObject elements r=sfink,jandem

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 5904a2d552f2.

Setting s-s just in case. Jon, is bug 1934856 a likely regressor?

Flags: sec-bounty?
Flags: needinfo?(jcoppeard)
Attached file ASan stack 
==21116==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0xaaab44a67c00 bp 0xffffd857fc90 sp 0xffffd857fbc0 T0)
==21116==The signal is caused by a WRITE memory access.
==21116==Hint: address points to the zero page.
/usr/bin/llvm-symbolizer: error: '[anon:js-executable-memory]': No such file or directory
    #0 0xaaab44a67c00 in js::gc::MapAlignedPages(unsigned long, unsigned long, js::gc::StallAndRetry) /home/m1ubu/trees/mozilla-central/js/src/gc/Memory.cpp:469:3
    #1 0xaaab44a79608 in js::gc::BufferAllocator::allocLarge(unsigned long, bool, bool) /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator.cpp:2279:15
    #2 0xaaab44a7aa4c in js::gc::BufferAllocator::realloc(void*, unsigned long, bool) /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator.cpp:686:18
    #3 0xaaab44b23a18 in js::gc::ReallocBuffer(JS::Zone*, void*, unsigned long, bool) /home/m1ubu/trees/mozilla-central/js/src/gc/BufferAllocator-inl.h:52:32
/snip

Set release status flags based on info from the regressing bug 1934856

status-firefox134: --- → unaffected
status-firefox135: --- → unaffected
status-firefox-esr128: --- → unaffected
Group: core-security → javascript-core-security

It looks like this crash is also being seen on Nightly, in bug 1941784.

See Also: → 1941784
Duplicate of this bug: 1941784
Crash Signature: [@ js::gc::MapAlignedPages]
Assignee: nobody → jcoppeard

The problem is that the buffer allocator allocates large buffers with the granularity of |PageSize| which may be less then the system page size. This affects systems where the page size is larger than expected, such as arm64 Linux on Apple hardware.

The simplest thing to do is to increase this granularity to 1MB (which is what jemalloc does for its equivalent huge allocations).

Flags: needinfo?(jcoppeard)

This is not security sensitive as we crash with a release assertion.

Group: javascript-core-security

Currently the granularity is PageSize, but that may be less then the system
page size.

This also simplifies some size calculations that did more work then required.

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1055931aad82 Increase the granularity of large buffer allocations to 1MB r=sfink

https://hg.mozilla.org/mozilla-central/rev/1055931aad82

Status: NEW → RESOLVED
Closed: 1 month ago
status-firefox136: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: