Closed Bug 530598 Opened 15 years ago Closed 15 years ago

poison allocator fails when executed under Valgrind

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta5-fixed

People

(Reporter: jbjoerk, Assigned: zwol)

References

Details

(Keywords: assertion)

Attachments

(1 file, 2 obsolete files)

patch as committed
5.36 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9
Build Identifier: mozilla-central, bcb580c05f4c+ tip 

Apologies in advance if this is the wrong component, very unfamiliar with the mozilla codebase.

###!!! ABORT: no usable poison region identified: file /Users/phb/Desktop/thesis/code/mozilla-central/layout/base/nsPresArena.cpp, line 212

The cause is that the poison allocator tries to map a region at 0xF0000000, which is where valgrind stores itself.
Changing the poison code to try and map from 0xc0000000 and it works as expected.


Reproducible: Always

Steps to Reproduce:
1. Run under valgrind (even --tool=none reproduces)
2. Observe crash
3.
Actual Results:  
Abort in nsPresArena.cpp:212.


Expected Results:  
Mapping should have succeeded.
confirming, I just saw this yesterday
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: General → Layout
Keywords: assertion
QA Contact: general → layout
gah, wrong cc
Blocks: 522088
Attached patch possible fix (obsolete) — Splinter Review 
I can't reproduce the problem (likely it does not happen under 64-bit Linux, regardless of whether the program under test is compiled with 64-bit pointers) but this should fix it.  If you can see the problem, please give it a try.

Heads up chofmann: with this patch in place, we'll take *any* address for the poison region rather than crash on startup.  Crash stats should not be significantly affected, since you have to work at it to get the preferred address not to be chosen, but is there a way to inject application annotations into minidumps?
Assignee: nobody → zweinberg
Status: NEW → ASSIGNED
nom'ing for 1.9.2 as a regression from 522088.
blocking1.9.1: --- → ?
*sigh* this time for sure.  sorry about the bugspam, folks.
blocking1.9.1: ? → ---
Flags: blocking1.9.2?
Attachment #414154 - Flags: review?(sayrer)
Attached patch possible fix (for real) (obsolete) — Splinter Review 
Doh.  Forgot the 'hg qref'.
Attachment #414154 - Attachment is obsolete: true
Attachment #414160 - Flags: review?(sayrer)
Attachment #414154 - Flags: review?(sayrer)
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
Tested and it now works with 32bit Valgrind on OSX.
sounds like this fix will repair the 3.6b4 new crash detected in  Bug 531305 that is on the top crash list

renom as blocking.
Flags: blocking1.9.2- → blocking1.9.2?
+    // The preferred address is already in use.  Did the OS give us a
+    // consolation prize?
+    if (result != RESERVE_FAILED) {
+      ARENA_POISON = candidate + rgnsize/2 - 1;
+      return PR_SUCCESS;
+    }

Shouldn't this be ARENA_POISON = result + rgnsize/2 - 1?

+    result = ReserveRegion(0, rgnsize);
+    if (result != RESERVE_FAILED) {
+      ARENA_POISON = candidate + rgnsize/2 - 1;
+      return PR_SUCCESS;
     }

Here too?
Flags: blocking1.9.2? → blocking1.9.2+
Attachment #414160 - Flags: review?(sayrer) → review?(nnethercote)
Comment on attachment 414160 [details] [diff] [review]
possible fix (for real)

I know nothing about the poison arena, but I do know that assuming certain anything about memory layout is a bad idea and this patch avoids that, so r=me with roc's nits fixed.

BTW, what's so special about 0xF0DEAFFF that the search starts there?
Attachment #414160 - Flags: review?(nnethercote) → review+
(In reply to comment #10)
> +    // The preferred address is already in use.  Did the OS give us a
> +    // consolation prize?
> +    if (result != RESERVE_FAILED) {
> +      ARENA_POISON = candidate + rgnsize/2 - 1;
> +      return PR_SUCCESS;
> +    }
> 
> Shouldn't this be ARENA_POISON = result + rgnsize/2 - 1?

Yes, it should; thanks for catching that.  I really do need to refactor this stuff so it's shared with the test case and is consistent about types and stuff.  Revised minimal-change patch on Monday (I'll do the refactor in a separate bug).

(In reply to comment #11)
> (From update of attachment 414160 [details] [diff] [review])
> I know nothing about the poison arena, but I do know that assuming certain
> anything about memory layout is a bad idea and this patch avoids that, so r=me
> with roc's nits fixed.

Thanks.

> BTW, what's so special about 0xF0DEAFFF that the search starts there?

Just that that's what chofmann's scripts are looking for to distinguish poisoning crashes from others, so we want to get that address if possible.  The idea of the "four megs in either direction" scan was that it would at least preserve the 0xF0D part, but making the browser start up reliably seems more important at this point.
(In reply to comment #3)
> is there a way to inject application annotations into minidumps?

Bug 517133 comment 1 describes one possible way to do this.
(In reply to comment #13)
> (In reply to comment #3)
> > is there a way to inject application annotations into minidumps?
> 
> Bug 517133 comment 1 describes one possible way to do this.

Thanks.  It looks like from Gecko-internal code I want to #include <nsExceptionHandler.h> and
then call CrashReporter::AppendAppNotesToCrashReport().  Can you confirm?
per karl, Ted M is the person to ask about this.

Ted: We want to annotate crash reports with the address chosen for frame poisoning (which cannot, unfortunately, be fixed at compile time) so that they can be identified reliably in crash-stats.  The code that chooses the address is in libgklayout.

1) Can I #include <nsExceptionHandler.h> and use CrashReporter:: functions directly, or do I have to do something more XPCOMful?
2) Which is more appropriate: AnnotateCrashReport with a new key, AppendAppNotesToCrashReport, or something else?
(In reply to comment #15)
 
> 1) Can I #include <nsExceptionHandler.h> and use CrashReporter:: functions
> directly, or do I have to do something more XPCOMful?

Sadly, no, you'll need to use XPCOM, like this:
http://mxr.mozilla.org/mozilla-central/source/xpcom/base/nsObjCExceptions.h#75

> 2) Which is more appropriate: AnnotateCrashReport with a new key,
> AppendAppNotesToCrashReport, or something else?

It depends on what you want to do with the data. I'm assuming that this is going to be attached to every report. The "App Notes" API is designed for attaching arbitrary text to a report that is intended to be human readable on the crash report page. If you want the data to be available for some sort of automated querying/reporting, then you'll want to use AnnotateCrashReport with a new key. The caveat there is that you'll then need to file a Socorro bug to get the server to store and display your new data.
Pushed http://hg.mozilla.org/mozilla-central/rev/16b7c8b2bcc9 with this version of the patch - the only change is s/candidate/PRUword(result)/ in two places as pointed out above by roc.
Attachment #414160 - Attachment is obsolete: true
I filed followup bugs for the crash annotations (bug 531845 and bug 531847) and for the refactory (bug 531848).
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing] → [baking for 1.9.2]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: