NanoAssert failure when LIR buffer is OOM with cache size 14

VERIFIED INVALID

Status

VERIFIED INVALID
10 years ago
8 years ago

People

(Reporter: dmandelin, Unassigned)

Tracking

unspecified
Future
x86
All
Bug Flags:
flashplayer-qrb +
flashplayer-triage +

Details

(Reporter)

Description

10 years ago
I'm trying to artificially replicate a bug from crashpad that I think is due to an OOM in my usage of nanojit. To test this guess, I set the regexp Fragmento cache size to 14 (4k, I think), and tried inserting 6000 LIR_start into the buffer. I get an assert in LirBufWriter::ensureRoom in debug builds and a crash otherwise. The same thing happens if I use size 15 and insert 9000 LIR_start.

I show the code snippet with notes on what happens below. It's clear that the code before 'NanoAssert(_buf->_thresholdPage)' does not in fact establish that condition. 

Perhaps I am violating some assumption of nanojit with my usage. If so, please explain, so I can add a test for that assumption.


    if (!_buf->_thresholdPage)
    {
	    // LIR_BUF_THRESHOLD away from a new page but pre-alloc it, setting noMem for early OOM detection
	    _buf->_thresholdPage = _buf->pageAlloc();
/// The line above returns NULL after a few calls.
	    NanoAssert(_buf->_thresholdPage || _buf->_noMem);
/// The line above is OK because _noMem is set when we get the NULL.
    }
    // transition to the next page?
    if (!samepage(before,after))
    {
/// Here we start going bad because of course _buf->_thresholdPage is NULL.
	    NanoAssert(_buf->_thresholdPage);
	    _buf->_unused = &_buf->_thresholdPage->lir[0];	
	    _buf->_thresholdPage = 0;  // pageAlloc() stored it in _pages already			

	    // link LIR stream back to prior instruction (careful insLink relies on _unused...)
	    insLinkTo(LIR_skip, before-1);
    }

Updated

10 years ago
Flags: flashplayer-triage+
Flags: flashplayer-qrb?

Updated

9 years ago
Flags: flashplayer-qrb? → flashplayer-qrb+

Updated

9 years ago
Target Milestone: --- → Future

Comment 1

9 years ago
the OOM and buffer managment code in nanojit has been rewritten.  this needs retesting to see if it's still a valid bug.
Status: NEW → UNCONFIRMED
Ever confirmed: false
OS: Mac OS X → All

Updated

8 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID

Comment 2

8 years ago
bulk verifying resolved !fixed issues
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.