Closed
Bug 546801
Opened 15 years ago
Closed 15 years ago
StringIndexer is not safe
Categories
(Tamarin Graveyard :: Virtual Machine, defect, P2)
Tamarin Graveyard
Virtual Machine
Tracking
(Not tracked)
VERIFIED
FIXED
flash10.1
People
(Reporter: stejohns, Assigned: stejohns)
Details
Attachments
(1 file)
|
2.36 KB,
patch
|
lhansen
:
review+
edwsmith
:
superreview+
|
Details | Diff | Splinter Review |
StringIndexer caches the secret pointers in a String in the name of speed; this was a valid assumption at one time, but the existence of convertToDynamic() invalidates this assumption. StringIndexer will probably have to go away, or become thin syntactic sugar around String::charAt.
Imagine code like:
StringIndexer foo(s);
DoSomethingThatCanTriggerGC();
at this point, s might have been converted to a dynamic string, but foo still points to the old, discarded memory.
|
||
Comment 1•15 years ago
|
||
Doesn't the GC see the pointers in foo and keep the old buffer's around? Its not like convertToDynamic is explicitly deleting them. Keep in mind the GC allows interior pointers to exist on the stack and it will find them if that's the issue.
|
Assignee | |
Comment 2•15 years ago
|
||
(In reply to comment #1)
> Doesn't the GC see the pointers in foo and keep the old buffer's around?
This is true; I had forgotten we handle interior pointers now. The genesis of this bug is a very-hard-to-repro crash that (so far) this is the most likely explanation for: the StringIndexer embedded in XMLParser has a String that is still valid and plausible, but the Pointers field of StringIndexer doesn't match the values in the String (as it should) and is not valid memory (though the pointers themselves look reasonable, so a possible cause is that it's memory that was decommitted).
If GC could somehow miss this interior pointer, it would explain this behavior. Are we certain that the interior-pointer code is 100% fully baked at this point?
|
||
Comment 3•15 years ago
|
||
(In reply to comment #2)
> If GC could somehow miss this interior pointer, it would explain this behavior.
> Are we certain that the interior-pointer code is 100% fully baked at this
> point?
Not really, because we're not relying on it on most platforms. Also the pointer must be interior, can't point before the start or after then end. (Compilers have been known to do that in the past, but I think it's considered bad practice.)
|
|
||
Comment 4•15 years ago
|
||
To add to Lar's comment there was a bug we fixed last week where the scan interior pointers functionality wasn't being propagated to stack segments. Has the bug been repro'd since last weeks tamarin integration?
|
|
Assignee | |
Comment 5•15 years ago
|
||
Yeah, after looking at the comments and further investigation, I think this is a red herring -- I don't think StringIndexer is unsafe in its current incarnation, and likely not the cause of the crash I'm investigating. Withdrawing.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
|
||
Updated•15 years ago
|
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 6•15 years ago
|
||
Reopening -- new evidence suggests this really is an issue after all. In particular, Flash *doesn't* use GC memory to store SWF, thus when an ABC buffer is released, the old pointer could well become invalid as it's outside of the GC world.
Status: VERIFIED → REOPENED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 7•15 years ago
|
||
Turn StringIndexer into a simple wrapper around charAt. This is suboptimal, but the only safe way to implement it in the general case, given constant-pool-string dynamicizing.
Assignee: nobody → stejohns
Attachment #428592 -
Flags: superreview?(edwsmith)
Attachment #428592 -
Flags: review?(lhansen)
|
|
||
Comment 8•15 years ago
|
||
(In reply to comment #6)
> Reopening -- new evidence suggests this really is an issue after all. In
> particular, Flash *doesn't* use GC memory to store SWF, thus when an ABC buffer
> is released, the old pointer could well become invalid as it's outside of the
> GC world.
This isn't entirely true, the swf buffer is unmanaged memory but its only ever deleted from the dtor of a GCFinalizedObject.
|
||
Comment 9•15 years ago
|
||
Comment on attachment 428592 [details] [diff] [review]
Patch
seems safe, of course, but unknown performance implications.
Attachment #428592 -
Flags: superreview?(edwsmith) → superreview+
|
|
Assignee | |
Comment 10•15 years ago
|
||
(In reply to comment #8)
> This isn't entirely true, the swf buffer is unmanaged memory but its only ever
> deleted from the dtor of a GCFinalizedObject.
Right, and that's the issue... in the example I gave above, if the collection is triggered, and collects+finalizes the object that is managing the unmanaged memory, we're still dead.(In reply to comment #9)
> (From update of attachment 428592 [details] [diff] [review])
> seems safe, of course, but unknown performance implications.
Agreed -- of course, Crowder's Law applies, but we should still run perf tests before landing so we know what the impact is.
|
|
Assignee | |
Comment 11•15 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
|
||
Comment 12•15 years ago
|
||
This patch appears to have fixed another linux specific issue, bug# 402864. I have commented in the bug referencing this issue.
|
|
||
Updated•15 years ago
|
Attachment #428592 -
Flags: review?(lhansen) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•