Closed
Bug 663386
Opened 13 years ago
Closed 6 years ago
blacklist FixedAlloc-managed memory detection is fragile/wrong
Categories
(Tamarin Graveyard :: Garbage Collection (mmGC), defect, P4)
Tamarin Graveyard
Garbage Collection (mmGC)
Tracking
(Not tracked)
RESOLVED
WONTFIX
Q1 12 - Brannan
People
(Reporter: pnkfelix, Unassigned)
References
Details
(Whiteboard: has-patch, loose-end)
Attachments
(1 file)
2.24 KB,
patch
|
treilly
:
review+
lhansen
:
superreview+
|
Details | Diff | Splinter Review |
The blacklist code makes use of GC::findGCGraphBeginning. This code, in a (presumably rare) corner case, tries to determine whether the given address addr belongs to a small object, and thus managed by FixedAlloc (and thus the function should use FixedAlloc::FindBeginning to determine the object's start), or if the addr belongs to a large object and thus not managed by FixedAlloc. The logic it uses is this: GCHeap::HeapBlock *b = heap->AddrToBlock(addr); if(b) { wasDeletedGCRoot = true; if(b->inUse()) { if(b->size == 1) { return FixedAlloc::FindBeginning(addr); } else { return GetUserPointer(b->baseAddr); } } } The problem is that this will not make the correct choice for middle-sized objects where size > FixedMalloc::kLargestAlloc but size <= GCHeap::kBlockSize. kLargestAlloc is either 2016 or 2032 (for 64- and 32-bit systems, respectively). kBlockSize is 4096. (I would love to claim that I discovered this by reviewing the code, but I do not have such eagle eyes. Rather, I ran into the issue while working on Bug 663177: it turns out that sizeof(avmshell::ShellCoreImpl) == 2576.) Anyway, Tommy suggested that I lift the blacklist's findGCGraphBeginning logic to FixedMalloc as part of the work on Bug 663177; I'll work on fixing this bug at the same time.
Reporter | ||
Updated•13 years ago
|
Assignee: nobody → fklockii
Reporter | ||
Comment 1•13 years ago
|
||
Reporter | ||
Updated•13 years ago
|
Whiteboard: has-patch
Reporter | ||
Comment 2•13 years ago
|
||
Comment on attachment 539323 [details] [diff] [review] use FixedMalloc::FindBeginning to do the fallback lookup The "friend class GCRoot" declaration here actually belongs with attachment 539548 [details] [diff] [review] (on Bug 664137, the GCRoot beginning derivation bug). I put it here because this patch came earlier in my patch queue, but assuming I end up pushing the GCRoot fix first, then obviously the friend declaration will go there as well. I thought when I first started on this code that I would be able to get rid of the loop over m_roots, but that's not true, because to support wasDeletedGCRoot one still needs to traverse the roots. That's okay though, its not a big deal if the MMGC_HEAP_GRAPH/blacklist code has some extra computational overhead.
Attachment #539323 -
Flags: superreview?(lhansen)
Attachment #539323 -
Flags: review?(treilly)
Reporter | ||
Updated•13 years ago
|
Status: NEW → ASSIGNED
Updated•13 years ago
|
Attachment #539323 -
Flags: review?(treilly) → review+
Updated•13 years ago
|
Attachment #539323 -
Flags: superreview?(lhansen) → superreview+
Looks ready to land? Can this land during i9?
Flags: flashplayer-qrb+
Flags: flashplayer-injection-
Flags: flashplayer-bug+
Priority: -- → P4
Whiteboard: has-patch → has-patch, loose-end
Target Milestone: --- → Q1 12 - Brannan
Reporter | ||
Comment 4•12 years ago
|
||
I do not trust FindBeginning 100% in debug mode, due to bug 735121. So let us fix that first.
Reporter | ||
Updated•12 years ago
|
Assignee: fklockii → nobody
Comment on attachment 539323 [details] [diff] [review] use FixedMalloc::FindBeginning to do the fallback lookup ># HG changeset patch ># Parent 601ba227d5cdaa8b5e1ce6de1219e47ff63b0401 > >diff --git a/MMgc/FixedMalloc.h b/MMgc/FixedMalloc.h >--- a/MMgc/FixedMalloc.h >+++ b/MMgc/FixedMalloc.h >@@ -55,16 +55,18 @@ namespace MMgc > * The "owner" of the FixedMalloc is GCHeap, the block manager. > * > * FixedMalloc uses size classes; each size class is handled by a FixedAllocSafe > * instance. Large objects are handled specially. All objects are headerless. > */ > class FixedMalloc > { > friend class GCHeap; >+ friend class GC; >+ friend class GCRoot; > friend class avmplus::ST_mmgc_bugzilla_663508::ST_mmgc_bugzilla_663508; > > public: > /** > * Obtain a FixedMalloc instance. > * > * @return the FixedMalloc singleton. > */ >diff --git a/MMgc/GC.cpp b/MMgc/GC.cpp >--- a/MMgc/GC.cpp >+++ b/MMgc/GC.cpp >@@ -3828,36 +3828,33 @@ namespace MMgc > { > /* These are all the possibilities > 1) GC small object > 2) GC large object > 3) GCRoot > 4) OS stack > */ > if(!IsPointerToGCPage(addr)) { >+ const void* begin = >+ FixedMalloc::GetFixedMalloc()->FindBeginning(addr); > GCRoot *r = m_roots; > while(r) { >- if(addr >= r->Get() && addr < r->End()) >+ if(addr >= r->Get() && addr < r->End()) { >+ GCAssert(r->Get() == begin); > return r->Get(); >+ } > r = r->next; > } > > // could be a deleted GCRoot > GCHeap::HeapBlock *b = heap->InteriorAddrToBlock(addr); > if(b) { > wasDeletedGCRoot = true; >- if(b->inUse()) { >- if(b->size == 1) { >- return FixedAlloc::FindBeginning(addr); >- } else { >- return GetUserPointer(b->baseAddr); >- } >- } > } >- return NULL; >+ return begin; > } > return FindBeginningGuarded(addr, true); // will return NULL for OS stack > } > > void GC::DumpBackPointerChain(const void *p) > { > dumpBackPointerChain(p, markerGraph); > }
Comment 7•6 years ago
|
||
No assignee, updating the status.
Comment 8•6 years ago
|
||
No assignee, updating the status.
Comment 9•6 years ago
|
||
Tamarin is a dead project now. Mass WONTFIX.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Comment 10•6 years ago
|
||
Tamarin isn't maintained anymore. WONTFIX remaining bugs.
You need to log in
before you can comment on or make changes to this bug.
Description
•