Closed Bug 559707 Opened 15 years ago Closed 14 years ago

TM: code chunk allocator is fallible, but Nanojit assumes it's infallible

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 624590
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: n.nethercote, Assigned: n.nethercote)

References

Details

(Keywords: crash) 

Nanojit is designed to use an infallible allocator for code chunks.
From nanojit/CodeAlloc.h:

       // CodeAlloc's SPI.  Implementations must be defined by nanojit embedder.
       // allocation failures should cause an exception or longjmp; nanojit
       // intentionally does not check for null.
       //

       /** allocate nbytes of memory to hold code.  Never return null! */
       void* allocCodeChunk(size_t nbytes);

This is nice because it makes the code simpler in various places.  The
problem is that the implementations of allocCodeChunk() used by TM is not infallible.  It's in nanojit/avmplus.cpp, it uses mmap() on
Unix and other fallible things (eg. posix_memalign()) on other platforms.

In comparison, TR's implementation is infallible -- it either aborts or longjmps if it can't allocate the memory.

The only check for infallibility is an assertion in nanojit/CodeAlloc.cpp:

       void *mem = allocCodeChunk(bytesPerAlloc); // allocations never fail
       totalAllocated += bytesPerAlloc;
       NanoAssert(mem != NULL); // see allocCodeChunk contract in CodeAlloc.h

Other than that, Nanojit assumes the allocation succeeded.  In an
optimised build, where assertions are disabled, Nanojit will happily
start scribbling over the zeroth page in memory causing a crash.  (I'm marking this bug as security-sensitive for this reason.)

This seems bad, and is certainly counter to TM's general attempts to
detect and recover from out-of-memory situations.  Suggestions on how to address this are welcome.
Summary: TM: → TM: code chunk allocator is fallible, but Nanojit assumes it's infallible
> Nanojit will happily start scribbling over the zeroth page
>  in memory causing a crash.  (I'm marking
> this bug as security-sensitive for this reason.)

Attempting to write to the zeroth page in memory is a guaranteed safe crash in userland code on any sane OS.  Does this bug really need to be security-sensitive?
(In reply to comment #1)
> 
> Attempting to write to the zeroth page in memory is a guaranteed safe crash in
> userland code on any sane OS.  Does this bug really need to be
> security-sensitive?

If that's true, then no.  I was just being cautious.  Can you unmark it?  Looks like I'm unable to do so.
Group: core-security
Keywords: crash
blocking2.0: --- → ?
I really don't think this needs to block, given that it always leads to an immediate safe crash, right?
blocking2.0: ? → -
Marking this as a duplicate of bug 624590, which subsumes it.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.