Closed Bug 561402 Opened 15 years ago Closed 15 years ago

HeapBlock's need initialization in ExpandHeapInternal

Categories

(Tamarin Graveyard :: Garbage Collection (mmGC), defect, P2)

Product:
Tamarin Graveyard
Component:
Garbage Collection (mmGC)
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
flash10.1-mobile

People

(Reporter: treilly, Assigned: treilly)

Details

Attachments

(4 files, 3 obsolete files)

other way to re-create problem
801 bytes, patch
Details | Diff | Splinter Review
Fix
3.66 KB, patch
pnkfelix
: review+
lhansen
: superreview+
Details | Diff | Splinter Review
GCHeap::Commit doesn't respect VMPI_areNewPagesDirty()
351 bytes, patch
pnkfelix
: review+
lhansen
: superreview+
Details | Diff | Splinter Review
Instead of DEBUG use MMGC_POISON_MEMORY_FROM_OS
991 bytes, patch
lhansen
: review+
Details | Diff | Splinter Review
If VMPI_areNewPagesDirty() is true and we went down the path this path: // if baseAddr was used for HeapBlocks split if((char*)newBlocks == baseAddr) and the nextREgion == NULL path after it the block used for the regions needs to be initialized before calling split. Both paths that call Split should init the new "head" block.
Assignee: nobody → treilly
Priority: -- → P2
Target Milestone: --- → flash10.1-mobile
Attachment #441488 - Flags: superreview?(lhansen)
Attachment #441488 - Flags: review?(fklockii)
Tommy, what's up with the tab characters in the patch?
(oh, this is for argo, sorry, I was trying to apply it to tr)
Actually its a good point, I should use spaces so I can pull it from tr-argo to tr, I won't bother to repost the patch though
Quick initial and very local feedback on local issues in the patch (while I am still getting my head around the context of the bug itself): I do not understand why you are passing newPagesDirty() as the dirty flag to newBlock->init(..) on line 1308, when a few lines after that the dirty field of newBlock is explicitly set to block->dirty. You should either pass block->dirty as the argument, or get rid of the assignment statement following init, or change the logic so that you are doing something with both values, but as it stands it does not make sense to me to have both involved in the computation when one is obviously supposed to be unused. Also if if you have a concrete test case associated with this bug, it would useful for me. But if you don't I will keep exploring on my own.
+1, I'll fix and post a new patch. This bug only reproduces in an environment where we aren't using virtual memory and new pages are dirty. Symbian is like this. We could force a crash by turning off virtual memory and poisoning memory returned from VMPI_allocateAlignedMemory (where memory comes from when virtual memory is off). I'll post a patch that does that.
Status: NEW → ASSIGNED
I'm getting by for the moment by just locally changing the mac VMPI to return true from areNewPagesDirty instead of false; (I am assuming that this is a conservative change with respect to correctness and should only make a difference with respect to performance). We may want to consider trying to create a VMPI testing environment that does things like this, returning non-standard but conservative values for methods like this, in order to catch corner cases like this on things besides the odd mobile device...
(In reply to comment #6) > This bug only reproduces in an environment where we aren't using virtual memory > and new pages are dirty. You said this only reproduces in an environment were we *aren't* using virtual memory, but the code in question is/was only invoking VMPI_areNewPagesDirty when we *are* using virtual memory (if I understand the meaning of "config.useVirtualMemory" correctly). Did you misspeak about where this reproduces, or ... ?
the bug occurs when fresh memory used to expand the heap isn't pre-zeroed. That only occurs when using virtual memory AND VMPI_areNewPagesDirty is true or we aren't using virtual memory in which case we assume new memory is always dirty. So to reproduce the bug you have to either have VMPI_areNewPagesDirty return true and have VMPI_commitMemory scribble, or turn off virtual memory and have VMPI_allocateAlignedMemory scribble. The actual problem that occurred in the wild that lead to this bug is the second one. Setting MallocScribble env var and having VMPI_useVirtualMemory return false would be a good test, trying that now...
Attached patch re-create the problem (obsolete) — Splinter Review
This patch shows the problem, asking for review to submit the ifdef DEBUG part of VMPI_allocateAlignedMemory.
Attachment #441787 - Flags: superreview?(lhansen)
Attachment #441787 - Flags: review?(fklockii)
It turns out MallocScribble=1 has no affect on valloc
Do we have an adversarial version of VMPI that we can swap in for testing purposes? If not, we should either make one, or make a configure switch that turns the "standard host" VMPI implementation into an adversarial system that does things like scribble on memory (while of course conforming to our specs, so e.g. in this case such scribbling would also require changing the return value of areNewPagesDirty.
(this is the other approach Tommy had originally suggested that I happened to be independently investigating this morning. I'm just attaching it to this ticket for completeness.) I think a "full-featured" adversarial VMPI would include both tommy's recreation change and this one (guarded under #ifdefs or put into an entirely separate VMPI-adversary.cpp file).
Comment on attachment 441787 [details] [diff] [review] re-create the problem The #ifdef DEBUG part looks fine to me. (Obviously the change to useVirtualMemory should not land.) You might add a comment pointing to this ticket with the memset line? Anyway, I think it is a good idea to put this in, independently of my idea of an adversarial vmpi, which would have the much more substantive change (and not worthy of guarding under just DEBUG) of flipping areNewPagesDirty.
Attachment #441787 - Flags: review?(fklockii) → review+
One more tiny nitpick about the original patch: your Init function uses "this->foo = ..." to initialize some members but omits it for "committed = true;" I can see that you have to do this since the Init parameter names are shadowing the member names, I'd prefer that you use the same style and include "this->" throughout the Init function definition. (But man that is a tiny nit.)
Attached patch ensure we don't regress this bug (obsolete) — Splinter Review
For submission after fix is submitted, also guards against regresion in the case where we are using virtual memory and VMPI_areNewPagesDirty is true. This covers the Symbian case that is currently untested otherwise.
Attachment #441787 - Attachment is obsolete: true
Attachment #441797 - Flags: superreview?(lhansen)
Attachment #441797 - Flags: review?(fklockii)
Attachment #441787 - Flags: superreview?(lhansen)
Attached patch FixSplinter Review
Incorporates Felix's suggested simplification of the Split case, otherwise unchanged. I opted not to change tabs to spaces, will make sure that happens in the tr-argo->tr merge which is where it should happen I think.
Attachment #441488 - Attachment is obsolete: true
Attachment #441798 - Flags: superreview?(lhansen)
Attachment #441798 - Flags: review?(fklockii)
Attachment #441488 - Flags: superreview?(lhansen)
Attachment #441488 - Flags: review?(fklockii)
Comment on attachment 441798 [details] [diff] [review] Fix (last teensy nit still stands, but that's obviously not worth holding up this fix.)
Attachment #441798 - Flags: review?(fklockii) → review+
Comment on attachment 441797 [details] [diff] [review] ensure we don't regress this bug Okay, looks like Tommy's not as worried as I am about changing code paths in debug builds... If Lars or Ed say its okay to change areNewPagesDirty based on DEBUG, then I'll go along with it, but I am not sure its an appropriate behavioral change to associate with that flag. (Thus my suggestion of a separate adversarial mode.)
Yeah I'm just following the FixedMalloc precedent and extending it. I sometimes think that we should make Release/Debug builds exactly the same except for assertions, compiler optimizations and put these pedantic things under a new different feature but we've never done that. I'm just going for getting good testing coverage under todays system. Ie mac 10.5+ will use virtual memory and DEBUG builds will test VMPI_newPagesAreDirty and Mac 10.4 which doesn't use virtual memory will test the dirty VMPI_allocateAlignedMemory path.
aybe for Argo we should adopt iyuuor(In reply to comment #20) > Yeah I'm just following the FixedMalloc precedent and extending it. I > sometimes think that we should make Release/Debug builds exactly the same > except for assertions, compiler optimizations and put these pedantic things > under a new different feature but we've never done that. I'm just going for > getting good testing coverage under todays system. Right, seems sane (except that if a bug predicated on dirty=false arises in release builds for 10.5+ it may disappear under debug mode, which is frustrating. But this is not news to you). For Argo maybe we adopt your current approach and file a separate ticket suggesting the addition of a emulate_adversarial_environment feature?
(or "pedantic" rather than "adversarial", if you prefer that term. :)
Flags: flashplayer-qrb+
fallout from new DEBUG code in sandbox builder
Attachment #441846 - Flags: superreview?(lhansen)
Attachment #441846 - Flags: review?(fklockii)
Attachment #441846 - Flags: review?(fklockii) → review+
sandbox green just waiting for SR, switching to Ed, since Lars is out
Attachment #441797 - Flags: superreview?(lhansen) → superreview?(edwsmith)
Attachment #441798 - Flags: superreview?(lhansen) → superreview?(edwsmith)
Attachment #441846 - Flags: superreview?(lhansen) → superreview?(edwsmith)
Comment on attachment 441797 [details] [diff] [review] ensure we don't regress this bug r+, apart from the issue about whether we should have a separate pedantic/adversarial mode separate from debug as discussed in comment 19 and below it.
Attachment #441797 - Flags: review?(fklockii) → review+
Attachment #441797 - Flags: superreview?(edwsmith) → superreview?(lhansen)
Attachment #441798 - Flags: superreview?(edwsmith) → superreview?(lhansen)
Attachment #441846 - Flags: superreview?(edwsmith) → superreview?(lhansen)
Comment on attachment 441797 [details] [diff] [review] ensure we don't regress this bug I don't think it's a good idea for this debugging code always to be on in debug builds, because that makes it harder to recreate release conditions in debug builds. The appropriate fix here would be an ad-hoc #define in mmgc.h (like the one we have for MMGC_POLICY_PROFILING); the default can be "on" in the shell or even in the player for that matter, but it should be visible and it should be possible to disable it. (Also it's good hygiene to use VMPI_memset, though not strictly necessary here.)
Attachment #441797 - Flags: superreview?(lhansen) → superreview-
Attachment #441846 - Flags: superreview?(lhansen) → superreview+
Comment on attachment 441798 [details] [diff] [review] Fix There's no reason for the 'dirty' argument to Init to have a default value, it only invites bugs. (If it does have a default value the default value should be true, or it should be a cookie that forces Init to go out and ask the VMPI layer. Both seem wrong but I'm open to arguments.) SR+ on the condition that that's fixed.
Attachment #441798 - Flags: superreview?(lhansen) → superreview+
tamarin-redux - changeset - 4650:acc98fa4ce04
fix is submitted but leaving open until we agree upon a regression strategy. There's conflict that we don't want to introduce any (more) artificial Debug/Release divergence but want to instead go with some compile time enabled extra testing code and need the build to also pick up on that so it gets run. Maybe a "DEBUG_PARANOID" feature run during deep tests?
Idea is that this would be defined by some MMgc aggressive DEBUG feature
Attachment #441797 - Attachment is obsolete: true
Attachment #471111 - Flags: review?(lhansen)
Comment on attachment 471111 [details] [diff] [review] Instead of DEBUG use MMGC_POISON_MEMORY_FROM_OS The feature is fine but let's not reintroduce more magic poison constants. Poison constants are all defined in GCHeap.h. R+ on the condition that that's fixed.
Attachment #471111 - Flags: review?(lhansen) → review+
http://hg.mozilla.org/tamarin-redux/rev/3d509ea4d9ab
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: