256642 - LIFO deallocation causes crash!

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Oscar Fogelberg]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Build Identifier: N.A.

We have found that the following two lines in JS_ArenaFreeAllocation expoes 
the spidermonkey of deallocations of unpredictable nature. 

if (pool->current == a) 
   pool->current = &pool->first;

After repositioning the current pool pointer we may come to a situation in 
which we have managed to allocate a number of bytes by using free bytes in 
already allocated arenas in the tempPool, without having to allocate new 
memory, nor having needed to fetch a new pool from the set of free arenas. 

If this happens we will possibly deallocate memory that is still in use. 

This is because cg2mark which is stored in TOK_FUNCTION of emitTree will point 
to a pool which is not the last arena in the pool but rarher a arena in which 
a sufficient number of bytes have been found that allows us to store the 
needed structures. The result after having emitted the function body is that 
the tempPool is pruned from c2gmark, which will mean that active memory may be 
deallocated.



Reproducible: Always
Steps to Reproduce:
It is very hard to describe the precise reproduction steps, the crash is 
dependant on a number of different factors such as: the DEBUG configuration 
set, what kind of native memory allocation algorithm is implemented, and the 
configuration of the target environment such as arena sizes.
Actual Results:  
I have seen: ZPEs, Asserts in interpritation, as well as OS memory exceptions.

Expected Results:  
Instead of the two lines in JS_ArenaFreeAllocation, however ambitious they are 
in concerning using any remaining bytes in the allocated areanas, it seems 
that we must repostion to the last arena to avoid the described problems.

N.A.

Comment 1

[Brendan Eich [:brendan]]

This is a bad bug that's been around a while.  Might explain some tellme.com
folks' reports.

/be

Comment 2

[Olivier Cahagne]

*** Bug 256693 has been marked as a duplicate of this bug. ***

Comment 3

[Brendan Eich [:brendan]]

Attachment: proposed fix

One-liner, good for what ails us here.	This bug was introduced when I
exteneded JS bytecodes to include the JOF_JUMPX extended jump formats, and
implemented span-dependent instruction selection in the code generator.  It
must have been byting people randomly, very sporadically, for it to be fixed at
this late date. Better late than never!

Many thanks to Oscar et al. who reported and diagnosed the problem.

/be

Comment 4

[Brendan Eich [:brendan]]

Comment on attachment 157262 [details] [diff] [review]
proposed fix

We need this fix -- it's the classic one-line subtle crash bugfix you all love
to take in the end-game, even on the last day.	But I didn't want to hold it
back till then... ;-)

/be

Comment 5

[chris hofmann]

Comment on attachment 157262 [details] [diff] [review]
proposed fix

a=chofmann for aviary and 1.7 branches

Comment 6

[Brendan Eich [:brendan]]

Fixed on branches.

/be