[tl;dr: please poison GC and JIT memory when it is freed]
I mentioned this at the engineering meeting last Tuesday but I don't
think I hit the right audience so I thought I'd repost it here.
We currently have some important crashes that are currently not
actionable based on crash stats. If you take a look at the current 28
beta topcrashes, the #3 topcrash (js::GCMarker::processMarkStackTop) is
a GC crash probably due to a corrupt GC heap/dangling pointers.
The #5 crash (EnterBaseline) is a generic signature for any crash that
happens in the JIT.
There are a few others such as
JSScript::markChildren/ScanRope/FinalizeArenas.
A lot of our current efforts have revolved around using fuzzers to
detect these kinds of situations. But we really need to try and use our
release population more effectively to discover why these issues are
happening and fix them.
We recently landed memory poisoning on free() in the Firefox codebase
(bug 860254). This provides some defense in depth for individual users,
but its primary purpose is to make use-after-free crashes happen more
quickly and with stack traces that are more useful. For the most part
this change does not appear to have affected performance (except for
tsvg tests on macOS which have strange symptoms).
I'd like the JS team to consider doing the same kind of memory poisoning
in release builds for the various JS heaps which aren't the jemalloc heap:
* The GC
* The various JIT code buffers
* Any other relevant caches or specialized allocators where normal
free() poisoning doesn't work
Thoughts? I don't know enough about this to file specific bugs, so I'm
looking to you on the JS team to identify what things are candidates and
filing the bugs. Especially if there are mentors for the bugs, I have
some great volunteers who have been fixing OOM issues recently who might
love to help take some of these bugs and fix them.
--BDS
_______________________________________________
dev-tech-js-engine-internals mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
