Make IonBuilder memory ballast contract explicit and testable

RESOLVED FIXED in Firefox 44

Status

()

Core
JavaScript Engine
RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: jorendorff, Assigned: nbp)

Tracking

(Blocks: 2 bugs)

unspecified
mozilla44
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox44 fixed)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

3 years ago
Our OOM testing machinery hits false positives in IonBuilder where it tries to allocate something from the TempAlloc, and we inject a failure there, and of course it crashes, because it's supposed to be impossible for an error to occur there, due to ballast.

In debug builds, we should track how many bytes of ballast we have left, and assert it never reaches 0.

If that assertion ever hits, it'll be easy to add another ensureBallast() call somewhere.
(Reporter)

Updated

3 years ago
Blocks: 912928, 988953
Assignee: general → nobody
Assignee: nobody → nicolas.b.pierron
Most of this issue seems to be fixed by Bug 1155618.
The code path of the allocator got moved into the allocImpl functions, which is no longer used by the allocInfallible which has the AutoEnterOOMUnsafeRegion section which reports an unhandlable OOM.

I think we should not report them as unhandlable oom … I will work on that.
Created attachment 8670245 [details] [diff] [review]
Ensure that we can check for OOMs when we run out of ballast space.

This patch prevent us from reporting unhandlable oom for the TempAlloc (only
user of the Lifo allocInfallible function).

The TempAllocator issues can be handled by allocating more ballast space in
for-loops which are doing multiple allocations.
Attachment #8670245 - Flags: review?(jdemooij)
We should not land this bug before much more fuzzing is made on this patch, as this replace a failure by some code which is considered to be infallible.  Maybe it would make sense to have a MOZ_RELEASE_ASSERT instead.
Comment on attachment 8670245 [details] [diff] [review]
Ensure that we can check for OOMs when we run out of ballast space.

Review of attachment 8670245 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, I think the idea makes sense but this should be a MOZ_RELEASE_ASSERT.
Attachment #8670245 - Flags: review?(jdemooij) → feedback+
Depends on: 1212389
Created attachment 8671337 [details] [diff] [review]
Ensure that we can check for OOMs when we run out of ballast space.

This patch makes sure that the TempAllocator used by IonMonkey reports
non-handlable oom as issues, such that we can ensure that we do not fail
because of large allocations made by the compiler.
Attachment #8671337 - Flags: review?(jdemooij)
Attachment #8670245 - Attachment is obsolete: true

Updated

2 years ago
Attachment #8671337 - Flags: review?(jdemooij) → review+

Comment 6

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/fbf7d94986bb
https://hg.mozilla.org/mozilla-central/rev/fbf7d94986bb
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Depends on: 1243397
You need to log in before you can comment on or make changes to this bug.