Closed Bug 531350 Opened 15 years ago Closed 15 years ago

TMFLAGS=fragprofile leads to reading freed memory

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jseward, Unassigned)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

patch that does the simple fix as per above comment
800 bytes, patch
graydon
: review+
Details | Diff | Splinter Review
When landed a couple of months back, the fragment profiler ran Memcheck-clean, but that is no longer the case. It now sometimes reads freed memory and usually asserts or segfaults as a result, which undermines its usefulness. This appears to be to do with collecting profile data from GuardRecords at the end of a run, for traces for which the recorder aborted, and have already been freed up. eg: TMFLAGS=minimal,fragprofile valgrind --smc-check=all \ ./D32/js -j ../../../SunSpider/tests/access-binary-trees.js Invalid read of size 4 at 0x811D67B: js_FragProfiling_FragFinalizer(nanojit::Fragment*, JSTraceMonitor*) (jstracer.cpp:513) by 0x8122D26: js_PurgeScriptFragments(JSContext*, JSScript*) (jstracer.cpp:7728) by 0x80FC469: js_DestroyScript (jsscript.cpp:1773) by 0x8057955: JS_DestroyScript (jsapi.cpp:4771) by 0x8050874: Process(JSContext*, JSObject*, char*, int) (js.cpp:440) by 0x80513F9: ProcessArgs(JSContext*, JSObject*, char**, int) (js.cpp:848) by 0x805172B: main (js.cpp:4860) Address 0x7a21cdc is 572 bytes inside a block of size 2,004 free'd at 0x4C9EB16: free (vg_replace_malloc.c:325) by 0x811C390: nanojit::Allocator::freeChunk(void*) (jstracer.cpp:309) by 0x814944E: VMAllocator::rewind(VMAllocator::Mark const&) (jstracer.h:585) by 0x81494B8: VMAllocator::Mark::~Mark() (jstracer.h:576) by 0x813D26E: TraceRecorder::~TraceRecorder() (jstracer.cpp:2488) by 0x813D462: TraceRecorder::finishAbort(char const*) (jstracer.cpp:2570) by 0x813D4FC: js_AbortRecordingImpl(JSContext*, char const*) (jstracer.cpp:7193) by 0x814487E: TraceRecorder::attemptTreeCall(TreeFragment*, unsigned int&) (jstracer.cpp:6034) by 0x8145103: TraceRecorder::record_EnterFrame(unsigned int&) (jstracer.cpp:9818) by 0x81882F3: js_Interpret (jsops.cpp:2233) by 0x80A4000: js_Execute (jsinterp.cpp:1619) by 0x80571C1: JS_ExecuteScript (jsapi.cpp:4948) One "fix" is (or appears to be) to change TraceRecorder::createGuardRecord(VMSideExit* exit) to allocate the new GuardRecords in dataAlloc rather than traceAlloc. This stops Memcheck complaining, and gets rid of assertion failures and segfaults inside js_FragProfiling_FragFinalizer, so the profiler is usable. But I doubt it is a proper fix.
Yeah, doing this unconditionally is bad since we generate a ton of guards (more than almost any other structure) and a lot of them are thrown out when we rewind. Enough that this change will seriously decrease the proportion of live data in the trace cache. Two options would work though: One is to finalize the fragments earlier (when the traceAlloc is rewound) by keeping a log if the fragments allocated in it. You rewind this list by finalizing everything on it, and commit the list by forgetting it. Would be contained within the VMAllocator::Mark object or similar. Another (simpler) option is to ifdef-DEBUG the choice of whether to store guards in the traceAlloc or the dataAlloc; IOW only apply your proposed fix when there's a fragment profiler around to care. A helpful comment explaining the ifdef would be required, but I think this would be ... possibly acceptable. It'll change memory behavior when built DEBUG, but I'm pretty sure we already change substantially due to all the debugging-output support structures we put in those allocators.
Another option would be to only allocate longer-lived guards if LC_FragProfile is true. Julian -- what do you think?
Fine by me. The only reason I didn't gate it on LC_FragProfile is that is gives 3 configurations to verify (as memcheck-clean): release, debug w/o LC_FragProfile, and debug w/ LC_FragProfile rather than just 2.
Graydon, review ping.
Comment on attachment 418660 [details] [diff] [review] patch that does the simple fix as per above comment Oh goodness, sorry for letting that go. Yes, this is fine by me.
Attachment #418660 - Flags: review?(graydon) → review+
http://hg.mozilla.org/mozilla-central/rev/f909e6aacc87
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: