Wpe 2.38 dump info and crash for invalid handle backport#1632
Open
aoikonomopoulos wants to merge 5 commits intoWebPlatformForEmbedded:wpe-2.38from
Open
Conversation
…/show_bug.cgi?id=243932 <rdar://problem/98709256> Reviewed by Yusuke Suzuki. This opens up an opportunity for potentially making PreciseAllocations polymorphic with MarkedBlocks. The main difference is that instead of computing an m_endAtom, we now compute a m_startAtom. m_startAtom is chosen so that increments of m_atomsPerCell added to m_startAtom will always end up at the end of the MarkedBlock (as denoted by endAtom). This simplifies the iteration of cells in the MarkedBlock. * Source/JavaScriptCore/heap/MarkedBlock.cpp: (JSC::MarkedBlock::MarkedBlock): (JSC::MarkedBlock::~MarkedBlock): (JSC::MarkedBlock::Header::Header): (JSC::MarkedBlock::Header::~Header): (JSC::MarkedBlock::Handle::stopAllocating): (JSC::MarkedBlock::Handle::lastChanceToFinalize): (JSC::MarkedBlock::Handle::resumeAllocating): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::resetAllocated): (JSC::MarkedBlock::resetMarks): (JSC::MarkedBlock::assertMarksNotStale): (JSC::MarkedBlock::Handle::didConsumeFreeList): (JSC::MarkedBlock::markCount): (JSC::MarkedBlock::clearHasAnyMarked): (JSC::MarkedBlock::Handle::didAddToDirectory): (JSC::MarkedBlock::Handle::didRemoveFromDirectory): (JSC::MarkedBlock::Handle::sweep): (JSC::MarkedBlock::Footer::Footer): Deleted. (JSC::MarkedBlock::Footer::~Footer): Deleted. * Source/JavaScriptCore/heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::start const): (JSC::MarkedBlock::Handle::end const): (JSC::MarkedBlock::Header::offsetOfVM): (JSC::MarkedBlock::newlyAllocatedVersion const): (JSC::MarkedBlock::markingVersion const): (JSC::MarkedBlock::lock): (JSC::MarkedBlock::subspace const): (JSC::MarkedBlock::populatePage const): (JSC::MarkedBlock::header): (JSC::MarkedBlock::header const): (JSC::MarkedBlock::handle): (JSC::MarkedBlock::Handle::blockHeader): (JSC::MarkedBlock::Handle::cellAlign): (JSC::MarkedBlock::vm const): (JSC::MarkedBlock::atomNumber): (JSC::MarkedBlock::areMarksStale): (JSC::MarkedBlock::aboutToMark): (JSC::MarkedBlock::isMarkedRaw): (JSC::MarkedBlock::isMarked): (JSC::MarkedBlock::testAndSetMarked): (JSC::MarkedBlock::marks const): (JSC::MarkedBlock::isNewlyAllocated): (JSC::MarkedBlock::setNewlyAllocated): (JSC::MarkedBlock::clearNewlyAllocated): (JSC::MarkedBlock::newlyAllocated const): (JSC::MarkedBlock::isAtom): (JSC::MarkedBlock::Handle::forEachCell): (JSC::MarkedBlock::hasAnyMarked const): (JSC::MarkedBlock::noteMarked): (JSC::MarkedBlock::setVerifierMemo): (JSC::MarkedBlock::verifierMemo const): (JSC::MarkedBlock::Footer::offsetOfVM): Deleted. (JSC::MarkedBlock::footer): Deleted. (JSC::MarkedBlock::footer const): Deleted. (JSC::MarkedBlock::Handle::blockFooter): Deleted. * Source/JavaScriptCore/heap/MarkedBlockInlines.h: (JSC::MarkedBlock::isNewlyAllocatedStale const): (JSC::MarkedBlock::marksConveyLivenessDuringMarking): (JSC::MarkedBlock::Handle::isLive): (JSC::MarkedBlock::Handle::specializedSweep): (JSC::MarkedBlock::Handle::forEachLiveCell): (JSC::MarkedBlock::Handle::forEachDeadCell): (JSC::MarkedBlock::Handle::forEachMarkedCell): * Source/JavaScriptCore/heap/MarkedSpace.cpp: * Source/JavaScriptCore/llint/LLIntThunks.cpp: (JSC::LLInt::getHostCallReturnValueThunk): * Source/JavaScriptCore/llint/LowLevelInterpreter.asm: * Source/JavaScriptCore/tools/Integrity.h: (JSC::Integrity::audit): * Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h: (JSC::Wasm::emitRethrowImpl): (JSC::Wasm::emitThrowImpl): (JSC::Wasm::emitCatchPrologueShared): Canonical link: https://commits.webkit.org/253482@main
Note: this only pulls in the basic change of https://commits.webkit.org/279198@main but does not update any users.
…ock::Handle is invalid https://bugs.webkit.org/show_bug.cgi?id=280370 rdar://136782494 Reviewed by Mark Lam and Keith Miller. We want to dump additional information when this failure case is hit to understand why this could be taking place. This patch is an updated version of Yijia's patch, which implemented most of the logging. * Source/JavaScriptCore/heap/BlockDirectory.cpp: (JSC::BlockDirectory::findMarkedBlockHandle): * Source/JavaScriptCore/heap/BlockDirectory.h: * Source/JavaScriptCore/heap/CellContainerInlines.h: (JSC::CellContainer::aboutToMark): * Source/JavaScriptCore/heap/HeapInlines.h: (JSC::Heap::testAndSetMarked): * Source/JavaScriptCore/heap/MarkedBlock.cpp: (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::dumpInfoIfHandleIsNotValid): * Source/JavaScriptCore/heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::hasBlock): (JSC::MarkedBlock::Header::handleBitsForNullCheck): (JSC::MarkedBlock::aboutToMark): * Source/JavaScriptCore/heap/MarkedSpace.cpp: (JSC::MarkedSpace::findMarkedBlockHandle): * Source/JavaScriptCore/heap/MarkedSpace.h: * Source/JavaScriptCore/heap/SlotVisitorInlines.h: (JSC::SlotVisitor::appendUnbarriered): (JSC::SlotVisitor::appendHiddenUnbarriered): Canonical link: https://commits.webkit.org/284376@main
…ugs.webkit.org/show_bug.cgi?id=283176 rdar://139971430 Reviewed by Mark Lam. The MarkedBlock::Header::m_lock field sits at offset 24. dumpInfoAndCrashForInvalidHandleV2() is always called with this lock held, and so regardless of whether 'm_lock' was corrupted with a zero, it will always be non-zero by the time the instrumentation reads it. So that we can get a better guess at how many contiguious bytes from the start of the MarkedBlock are corrupted with zeros, treat the bytes occupied by m_lock as zeros when scanning for zeros. In other words, we don't know what value these bytes were corrupted with, so assume they were corrupted with zero so that the scan for zeros continues. Also count the total number of zeros in the MarkedBlock (which is the same as a page on Darwin) to get an overall view into the state of the page, to account for the fact that there could be other locations on the page that may have been written after the corruption occurs. Improve the use of WTF::setCrashLogMessage(). That function saves only the last message, so send the same message on each invocation but with additional known details filled in. Then, include the source code line number so that the message can be interpreted properly. Record the first 8 bytes of the HeapCell rather than just the type. Remove the code that tries to save values to registers in the middle of the instrumentation. It doesn't work in practice since a crash would be more likely to occur after running non-trivial code, which will likely clobber the registers anyway. Add some testing code for the various instrumentation paths (disabled at compile time). * Source/JavaScriptCore/heap/MarkedBlock.cpp: (JSC::MarkedBlock::setupTestForDumpInfoAndCrash): (JSC::MarkedBlock::aboutToMarkSlow): (JSC::MarkedBlock::dumpInfoAndCrashForInvalidHandleV2): (JSC::MarkedBlock::dumpInfoAndCrashForInvalidHandle): Deleted. * Source/JavaScriptCore/heap/MarkedBlock.h: (JSC::MarkedBlock::setupTestForDumpInfoAndCrash): * Source/JavaScriptCore/runtime/OptionsList.h: Canonical link: https://commits.webkit.org/286689@main
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Following discussion in #1622.
02b9a1c