Closed
Bug 600853
Opened 14 years ago
Closed 14 years ago
last ditch GC and OOM reporting with title lock held
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: igor)
References
Details
(Whiteboard: [sg:critical])
Attachments
(3 files, 2 obsolete files)
12.55 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.9.2.14+
|
Details | Diff | Splinter Review |
13.14 KB,
patch
|
igor
:
review+
dveditz
:
approval1.9.1.17+
|
Details | Diff | Splinter Review |
654 bytes,
patch
|
brendan
:
review+
christian
:
approval1.9.2.14+
christian
:
approval1.9.1.17+
|
Details | Diff | Splinter Review |
obj_toSource contains: ok = obj->lookupProperty(cx, id, &obj2, &prop); ... idstr = js_ValueToString(cx, IdToValue(id)); ... JS_UNLOCK_OBJ(cx, obj2); Here js_ValueToString allocates a string when id is an integer. This implies that the last-ditch GC and OOM reporting will run with title lock held. Similarly JS_SetWatchPoint contains: if (!js_LookupProperty(cx, obj, propid, &pobj, &prop)) ... watcher = js_WrapWatchedSetter(cx, propid, shape->attributes(), shape->setter()); ... JS_UNLOCK_OBJ(cx, obj); Here js_WrapWatchedSetter allocates at least new Function leading to the same bug. Marking as security-sensitive as this is related to the bug 569162 and in case other places contains the similar pattern but when an arbitrary JS code can run.
Updated•14 years ago
|
blocking2.0: --- → beta8+
Whiteboard: [sg:critical]
Assignee | ||
Comment 1•14 years ago
|
||
The bugs in the comment 0 are a real hazards if the corresponding code is run against thread-shared objects. If another thread is waiting for the current thread to share the objects, then, as a consequence of changes in the big 477627, the last-ditch GC shares the object. That allows that thread to run until it suspends its the request. That other thread can then delete the shapes and let the GC to collect them before the first thread accesses them.
Blocks: 477627
Assignee | ||
Comment 2•14 years ago
|
||
There are a lot of places where the the GC allocation happens when the object is locked. It is rather non-trivial and often very error-prone to change the corresponding code. So the patch takes simpler approach of just disabling the last-ditch GC when the current thread has any titles to share.
Comment 3•14 years ago
|
||
is this ready for review?
Assignee | ||
Comment 4•14 years ago
|
||
(In reply to comment #3) > is this ready for review? It seems the try server gives more orange than usual for this patch. I am investigating that.
Assignee | ||
Comment 5•14 years ago
|
||
here is a rebased patch. It passes the tryserver and the oranges that I have seen comes from unrelated patch. To allow for simpler detection of waiting titles for the current thread the patch moves the title sharing list into JSThread.
Attachment #481920 -
Attachment is obsolete: true
Attachment #482832 -
Flags: review?(brendan)
Comment 6•14 years ago
|
||
Brendan, this is a beta8 blocker and a security bug, can you do this review?
Comment 7•14 years ago
|
||
We killed titles within the last two weeks, so is this even a bug any more?
Comment 8•14 years ago
|
||
(In reply to comment #7) > We killed titles within the last two weeks, so is this even a bug any more? For the branches. /be
Updated•14 years ago
|
blocking2.0: beta8+ → ---
Updated•14 years ago
|
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Updated•14 years ago
|
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
Comment 9•14 years ago
|
||
Igor, is the attached patch good for older branches as well? If not, please upload a branch version.
Comment 10•14 years ago
|
||
Igor, ping?
Assignee | ||
Comment 11•14 years ago
|
||
(In reply to comment #10) > Igor, ping? We need a new patch. I should have it this week.
Comment 12•14 years ago
|
||
Excellent, thanks Igor!
Assignee | ||
Comment 13•14 years ago
|
||
Here is a minimal patch. It makes sure that the GC allocation paths do not invoke the last ditch GC if the current thread has titles to share. I will ask for a review after more testing.
Attachment #482832 -
Attachment is obsolete: true
Attachment #482832 -
Flags: review?(brendan)
Assignee | ||
Comment 14•14 years ago
|
||
Comment on attachment 495512 [details] [diff] [review] patch for 192 v1 The patch passes testing.
Attachment #495512 -
Flags: review?(brendan)
Comment 15•14 years ago
|
||
Comment on attachment 495512 [details] [diff] [review] patch for 192 v1 Looks good -- any reason not to make HAS_TITLES_TO_SHARE be an inline hasTitlesToShare method? /be
Attachment #495512 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 16•14 years ago
|
||
(In reply to comment #15) > any reason not to make HAS_TITLES_TO_SHARE be an inline > hasTitlesToShare method? The reason is the patch minimality to avoid extra #ifdef C++ as LiveConnect is alive and kicking on 1.9.2.
Comment 17•14 years ago
|
||
Agh, you reminded me of the nameless horror that was L***C*****t! /be
Assignee | ||
Updated•14 years ago
|
Attachment #495512 -
Flags: approval1.9.2.14?
Assignee | ||
Comment 18•14 years ago
|
||
191 version required a minimal backporting from 192. Here is a plain diff between 192 and 191 patches: > @@ -1807,8 +1809,9 @@ IsGCThresholdReached(JSRuntime *rt) 129c122 < - rt->gcBytes >= rt->gcTriggerBytes; --- > - rt->gcBytes / rt->gcTriggerFactor >= rt->gcLastBytes / 100; 131c124,125 < + rt->gcBytes >= rt->gcTriggerBytes) && !HAS_TITLES_TO_SHARE(cx); --- > + rt->gcBytes / rt->gcTriggerFactor >= rt->gcLastBytes / 100) && > + !HAS_TITLES_TO_SHARE(cx); 134,135c128,129 < template <class T> static JS_INLINE T* < @@ -1840,7 +1842,7 @@ NewGCThing(JSContext *cx, uintN flags) --- > @@ -2298,9 +2301,10 @@ js_AddAsGCBytes(JSContext *cx, size_t sz > JSRuntime *rt; > > rt = cx->runtime; > - if (rt->gcBytes >= rt->gcMaxBytes || > - sz > (size_t) (rt->gcMaxBytes - rt->gcBytes) || > - IsGCThresholdReached(rt)) { > + if ((rt->gcBytes >= rt->gcMaxBytes || > + sz > (size_t) (rt->gcMaxBytes - rt->gcBytes) || > + IsGCThresholdReached(cx)) && > + !HAS_TITLES_TO_SHARE(cx)) { > if (JS_ON_TRACE(cx)) { > /* > * If we can't leave the trace, signal OOM condition, otherwise Here 1.9.1-only js_AddAsGCBytes required an extra change to disable GC when HAS_TITLES_TO_SHARE is true.
Attachment #497823 -
Flags: review+
Attachment #497823 -
Flags: approval1.9.1.17?
Comment 19•14 years ago
|
||
Comment on attachment 495512 [details] [diff] [review] patch for 192 v1 Approved for 1.9.2.14, a=dveditz for release-drivers
Attachment #495512 -
Flags: approval1.9.2.14? → approval1.9.2.14+
Comment 20•14 years ago
|
||
Comment on attachment 497823 [details] [diff] [review] patch for 191 Approved for 1.9.1.17, a=dveditz for release-drivers
Attachment #497823 -
Flags: approval1.9.1.17? → approval1.9.1.17+
status2.0:
--- → unaffected
Updated•14 years ago
|
blocking2.0: --- → -
Comment 21•14 years ago
|
||
Igor, could you land this on the branch?
Assignee | ||
Comment 22•14 years ago
|
||
landed on branches: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/3b97e967b6cc http://hg.mozilla.org/releases/mozilla-1.9.1/rev/81e4317eb7f8
Comment 23•14 years ago
|
||
(In reply to comment #22) > http://hg.mozilla.org/releases/mozilla-1.9.1/rev/81e4317eb7f8 FYI, I think this is related to an ./shell.js:701 out of memory error (jit, shell only) I started seeing with 2 tests on 1.9.1 linux 32bit with 4G (the only jstests I still run regularly). It seems this would be expected behavior from this patch in some cases and probably is not of concern. I thought I would mention it though. The tests in question are: js1_5/extensions/regress-350531.js and js1_6/extensions/regress-456826.js
Assignee | ||
Comment 24•14 years ago
|
||
(In reply to comment #23) э> FYI, I think this is related to an ./shell.js:701 out of memory error (jit, > shell only) I started seeing with 2 tests on 1.9.1 linux 32bit with 4G (the > only jstests I still run regularly). Is this only n 1.9.1 or 1.9.2 is also affected?
Comment 25•14 years ago
|
||
1.9.1 only.
Assignee | ||
Comment 26•14 years ago
|
||
The failing test cases revealed a bug in landed patches. So I clear the status the status and will post the regression fixes soon.
status1.9.1:
.17-fixed → ---
status1.9.2:
.14-fixed → ---
Assignee | ||
Comment 27•14 years ago
|
||
When NewArena returns NULL, it signals to to the GC if possible or report OOM. The essence of the landed patch was to prevent that GC form happening when the current thread has titles to share. So the idea was to ignore the heap size limit in NewArena with to-be-shared-titles and report OOM when when when NewArena failed to get new GC arenas via mmap. Needless to say, the landed patch did exactly the opposite - it would ignore the limit when there were no waiting titles and would enforce the limit where there are titles. This patch fixes the typo. It applies to both ranches as-is.
Attachment #504450 -
Flags: review?(brendan)
Assignee | ||
Comment 28•14 years ago
|
||
Brendan - do you have time to look to the regression fix today? If not I will have to back out the landed patches.
Comment 29•14 years ago
|
||
Comment on attachment 504450 [details] [diff] [review] regression fix Sorry for the tardy r+ -- obvious fix now that you point it out. /be
Attachment #504450 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 30•14 years ago
|
||
Comment on attachment 504450 [details] [diff] [review] regression fix asking for regression fix approval
Attachment #504450 -
Flags: approval1.9.2.14?
Attachment #504450 -
Flags: approval1.9.1.17?
Comment 31•14 years ago
|
||
Comment on attachment 504450 [details] [diff] [review] regression fix Approving regression fix
Attachment #504450 -
Flags: approval1.9.2.14?
Attachment #504450 -
Flags: approval1.9.2.14+
Attachment #504450 -
Flags: approval1.9.1.17?
Attachment #504450 -
Flags: approval1.9.1.17+
Assignee | ||
Comment 32•14 years ago
|
||
I landed regression fixes: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e19b68b68daf http://hg.mozilla.org/releases/mozilla-1.9.1/rev/237c9fe03984
status1.9.1:
--- → .17-fixed
status1.9.2:
--- → .14-fixed
Comment 33•14 years ago
|
||
Since 2.0 is marked "unaffected" and the branches are patched this bug is FIXED, right?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 34•14 years ago
|
||
I backed this out of 1.9.2 (default and 1.9.2.14 relbranch): http://hg.mozilla.org/releases/mozilla-1.9.2/rev/844ae0377afa http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a50a49f952c0 (see bug 633869)
Depends on: 633869
Comment 35•14 years ago
|
||
Shall this be reopened then ?
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•