WebAssembly unable to allocate memory above 1GB
Reported by
cfakhrud...@zynga.com,
Jan 12 2018
|
||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Steps to reproduce the problem:
1. Open Chrome Canary 65.0.3319.0 -> Developer Tools -> Console
2. run "new WebAssembly.Memory({initial:16385});"
3. The following error occurs "VM65:1 Uncaught RangeError: WebAssembly.Memory(): could not allocate memory"
What is the expected behavior?
Able to allocate upto 2GB on Chrome 63.0.3239.132
What went wrong?
WebAssembly unable to allocate memory above 1GB on Chrome Canary 65.0.3319.0
Did this work before? Yes Chrome 63.0.3239.132
Chrome version: 65.0.3319.0 Channel: canary
OS Version: OS X 10.12.6
Flash Version: 28.0.0.142
,
Jan 15 2018
Reporter@ Thanks for the issue. Able to reproduce the issue on Mac OS and Windows 10 on the latest Canary 65.0.3321.0 by following the steps mentioned in the original comment. Note: On Ubuntu 14.04, Devtools page is crashing on executing the above command in Console. Bisect Information: =================== Good Build: 65.0.3317.0 (Revision - 528119) Bad Build : 65.0.3318.0 (Revision - 528541) On executing the per-revision bisect script, below is the changelog URL. Changelog URL: --------------- https://chromium.googlesource.com/chromium/src/+log/9f98b3e05daca1699f070f6452870fe165b3d67f..8502361edf224dd394f6f43b0bb83a80e13eb89fb From the above Changelog URL, unable to find the correct suspect for this issue. Hence marking this as Untriaged and requesting someone from Dev to please look into this issue. Adding ReleaseBlock-Stable as this is a recent regression. Please feel free to remove the same if this is not applicable. Thanks...
,
Jan 15 2018
// Adding to comment #2. Ignore the CL mentioned is comment #2 as it is not accessible and below is the correct CL. Changelog URL: =============== https://chromium.googlesource.com/chromium/src/+log/9f98b3e05daca1699f070f6452870fe165b3d67f..8502361edf224dd394f6f43b0bb83a80e13eb89f V8-autoroll Changelog: ======================= https://chromium.googlesource.com/v8/v8/+log/6dd620dd..a32e3199 From the above changelog, suspecting the below change for this issue. Reviewed-on: https://chromium-review.googlesource.com/856980 titzer@ Can you please check and confirm if this issue is related to your change, else help us in assigning to the right owner. Thanks...
,
Jan 15 2018
,
Jan 15 2018
This is almost certainly due to my change that rounds up WebAssembly memories to the next power of 2. This is part of Spectre mitigations and is considered a security feature, so I am not sure we will be able to fix this.
,
Jan 16 2018
This limits WASM to allocate only upto 1GB of memory. This would break some of the applications which are currently leveraging the 2GB limit (including mine). I think the chromium team worked on increasing the limit upto 2GB about 7 months back. Here's a review that i found: https://codereview.chromium.org/2903153002/ So, in order to mitigate the security vulnerability are we bringing this down to 1GB again officially?
,
Jan 16 2018
,
Jan 16 2018
+bbudge Bill have you come across where this is gated in the array buffer allocator? Could you take a look? Thanks!
,
Jan 16 2018
ArrayBuffer::Allocator uses size_t to represent the size, so that shouldn't be a problem, at least on 64 bit systems where we might expect 2GB allocations to succeed. size_t is used all the way down to either PartitionAlloc or page_allocator depending on whether it's a normal allocation or an address space reservation. I'm not aware of any size limits on the allocations.
,
Jan 16 2018
I checked and PartitionAlloc does indeed clamp very large (direct mapped) allocations at just under 2 GB: https://cs.chromium.org/chromium/src/base/allocator/partition_allocator/partition_alloc.cc?rcl=4d9e568ba40d64bdab2be7c0604cdebfeb6162c2&l=791 We might be able to bump this to 2GB if it's only a security issue (and not necessary for some bit masking magic that is important for performance.)
,
Jan 16 2018
Of course comment #10 only applies to 32-bit systems.
,
Jan 17 2018
@ comment #9
Even on 64bit systems, we aren't able to allocate 2GB memory. Get the following error
> new WebAssembly.Memory({initial: 32768}); // Trying to allocate 32768 chunks of 64kb each – 32768 * 64kb = 2GB)
>> Uncaught RangeError: WebAssembly.Memory(): Property value 32768 is above the upper bound 32767
,
Jan 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/183bc643b51f35bf57b1d5158d6df9f6a2693ba0 commit 183bc643b51f35bf57b1d5158d6df9f6a2693ba0 Author: Brad Nelson <bradnelson@chromium.org> Date: Thu Jan 18 02:52:48 2018 [wasm] Fix page size constant + test limits on max pages. BUG= chromium:801604 R=bbudge@chromium.org,titzer@chromium.org Change-Id: I5fa57d5f8ea288d7aef7d466cbf11df46c4dcd1d Reviewed-on: https://chromium-review.googlesource.com/869468 Reviewed-by: Ben Titzer <titzer@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Commit-Queue: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/heads/master@{#50665} [modify] https://crrev.com/183bc643b51f35bf57b1d5158d6df9f6a2693ba0/src/wasm/wasm-js.cc [modify] https://crrev.com/183bc643b51f35bf57b1d5158d6df9f6a2693ba0/test/mjsunit/wasm/memory-size.js
,
Jan 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f3d22635d15d3fff40529b00bf6ba979776ad871 commit f3d22635d15d3fff40529b00bf6ba979776ad871 Author: Benedikt Meurer <bmeurer@chromium.org> Date: Thu Jan 18 06:55:42 2018 Revert "[wasm] Fix page size constant + test limits on max pages." This reverts commit 183bc643b51f35bf57b1d5158d6df9f6a2693ba0. Reason for revert: https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8%2FV8_Linux_-_debug%2F18780%2F%2B%2Frecipes%2Fsteps%2FCheck_-_extra%2F0%2Flogs%2Fmemory-size%2F0 Original change's description: > [wasm] Fix page size constant + test limits on max pages. > > BUG= chromium:801604 > R=bbudge@chromium.org,titzer@chromium.org > > Change-Id: I5fa57d5f8ea288d7aef7d466cbf11df46c4dcd1d > Reviewed-on: https://chromium-review.googlesource.com/869468 > Reviewed-by: Ben Titzer <titzer@chromium.org> > Reviewed-by: Bill Budge <bbudge@chromium.org> > Commit-Queue: Brad Nelson <bradnelson@chromium.org> > Cr-Commit-Position: refs/heads/master@{#50665} TBR=bradnelson@chromium.org,bbudge@chromium.org,titzer@chromium.org Change-Id: I2b5a51f1a94e862f8ac4455d466e23d26c220202 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:801604 Reviewed-on: https://chromium-review.googlesource.com/872950 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#50666} [modify] https://crrev.com/f3d22635d15d3fff40529b00bf6ba979776ad871/src/wasm/wasm-js.cc [modify] https://crrev.com/f3d22635d15d3fff40529b00bf6ba979776ad871/test/mjsunit/wasm/memory-size.js
,
Jan 18 2018
So, as per the bug fix/revert above is there a plan to fix this and would the fix be going in next Chrome Canary revision?
,
Jan 18 2018
Yes. This will not be on the 6.5 branch from the start, we should aim to merge this back after some bake time.
,
Jan 18 2018
Looks like this issue is also happening in Chrome beta 64.0.3282.99, is there a plan to fix it in Chrome 64 before this goes live(I think in 5 days?), else we will need to move users off from wasm
,
Jan 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/be7148033ae13dedb3677d9f1aecff19d9c0b0fc commit be7148033ae13dedb3677d9f1aecff19d9c0b0fc Author: Bill Budge <bbudge@chromium.org> Date: Thu Jan 18 22:14:29 2018 [partition_alloc] Allow 2 GiB direct mapped allocations. - Raises the limit of direct mapped allocations. WASM needs to be able to allocate 2GiB regions. Bug: chromium:801604 Change-Id: I559e55d2474623805eabae64f5b1f3dfe35a7acb Reviewed-on: https://chromium-review.googlesource.com/868844 Commit-Queue: Bill Budge <bbudge@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#530294} [modify] https://crrev.com/be7148033ae13dedb3677d9f1aecff19d9c0b0fc/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/be7148033ae13dedb3677d9f1aecff19d9c0b0fc/base/allocator/partition_allocator/partition_alloc.h
,
Jan 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/386dfa4d57633a3922036299b395891041174deb commit 386dfa4d57633a3922036299b395891041174deb Author: Bill Budge <bbudge@chromium.org> Date: Thu Jan 18 23:41:14 2018 Revert "[partition_alloc] Allow 2 GiB direct mapped allocations." This reverts commit be7148033ae13dedb3677d9f1aecff19d9c0b0fc. Reason for revert: breaks unit test https://luci-milo.appspot.com/buildbot/chromium.win/Win7%20(32)%20Tests/29093 Original change's description: > [partition_alloc] Allow 2 GiB direct mapped allocations. > > - Raises the limit of direct mapped allocations. WASM needs > to be able to allocate 2GiB regions. > > Bug: chromium:801604 > Change-Id: I559e55d2474623805eabae64f5b1f3dfe35a7acb > Reviewed-on: https://chromium-review.googlesource.com/868844 > Commit-Queue: Bill Budge <bbudge@chromium.org> > Reviewed-by: Kentaro Hara <haraken@chromium.org> > Cr-Commit-Position: refs/heads/master@{#530294} TBR=palmer@chromium.org,bbudge@chromium.org,haraken@chromium.org Change-Id: Ic9335529ebdb824b3f9e6ae972cb0489f6dc24ce No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:801604 Reviewed-on: https://chromium-review.googlesource.com/875151 Reviewed-by: Bill Budge <bbudge@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#530341} [modify] https://crrev.com/386dfa4d57633a3922036299b395891041174deb/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/386dfa4d57633a3922036299b395891041174deb/base/allocator/partition_allocator/partition_alloc.h
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/348c758d099007fc5a0a4c188cdcf3f21ce40495 commit 348c758d099007fc5a0a4c188cdcf3f21ce40495 Author: Bill Budge <bbudge@chromium.org> Date: Fri Jan 19 01:37:43 2018 Reland [partition_alloc] Allow 2 GiB direct mapped allocations. - Raises the limit of direct mapped allocations. WASM needs to be able to allocate 2GiB regions. Bug: chromium:801604 Change-Id: I77e905ff4ae6f5ca66de9daf30f19bb6f7b54089 Reviewed-on: https://chromium-review.googlesource.com/875301 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#530380} [modify] https://crrev.com/348c758d099007fc5a0a4c188cdcf3f21ce40495/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/348c758d099007fc5a0a4c188cdcf3f21ce40495/base/allocator/partition_allocator/partition_alloc.h [modify] https://crrev.com/348c758d099007fc5a0a4c188cdcf3f21ce40495/base/allocator/partition_allocator/partition_alloc_unittest.cc
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/532b521f1361f95c857cc12fa6080319fb06db5e commit 532b521f1361f95c857cc12fa6080319fb06db5e Author: Bill Budge <bbudge@chromium.org> Date: Fri Jan 19 03:09:14 2018 Revert "Reland [partition_alloc] Allow 2 GiB direct mapped allocations." This reverts commit 348c758d099007fc5a0a4c188cdcf3f21ce40495. Reason for revert: <INSERT REASONING HERE> Original change's description: > Reland [partition_alloc] Allow 2 GiB direct mapped allocations. > > - Raises the limit of direct mapped allocations. WASM needs > to be able to allocate 2GiB regions. > > Bug: chromium:801604 > Change-Id: I77e905ff4ae6f5ca66de9daf30f19bb6f7b54089 > Reviewed-on: https://chromium-review.googlesource.com/875301 > Reviewed-by: Kentaro Hara <haraken@chromium.org> > Commit-Queue: Bill Budge <bbudge@chromium.org> > Cr-Commit-Position: refs/heads/master@{#530380} TBR=bbudge@chromium.org,haraken@chromium.org Change-Id: I4462f890182dcb523f15cb8289ca416b5d266578 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: chromium:801604 Reviewed-on: https://chromium-review.googlesource.com/875169 Reviewed-by: Bill Budge <bbudge@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#530412} [modify] https://crrev.com/532b521f1361f95c857cc12fa6080319fb06db5e/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/532b521f1361f95c857cc12fa6080319fb06db5e/base/allocator/partition_allocator/partition_alloc.h [modify] https://crrev.com/532b521f1361f95c857cc12fa6080319fb06db5e/base/allocator/partition_allocator/partition_alloc_unittest.cc
,
Jan 19 2018
We have filed another bug https://bugs.chromium.org/p/chromium/issues/detail?id=803786 for the issue on Chrome Beta 64.0.3282.99
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6da9254ccbbcecf882e2f87eaf71c231edff44e5 commit 6da9254ccbbcecf882e2f87eaf71c231edff44e5 Author: Ben L. Titzer <titzer@chromium.org> Date: Fri Jan 19 10:19:32 2018 Reland "[wasm] Fix page size constant + test limits on max pages." This is a reland of 183bc643b51f35bf57b1d5158d6df9f6a2693ba0. Original change's description: > [wasm] Fix page size constant + test limits on max pages. > > BUG= chromium:801604 > R=bbudge@chromium.org,titzer@chromium.org > > Change-Id: I5fa57d5f8ea288d7aef7d466cbf11df46c4dcd1d > Reviewed-on: https://chromium-review.googlesource.com/869468 > Reviewed-by: Ben Titzer <titzer@chromium.org> > Reviewed-by: Bill Budge <bbudge@chromium.org> > Commit-Queue: Brad Nelson <bradnelson@chromium.org> > Cr-Commit-Position: refs/heads/master@{#50665} Bug: chromium:801604 Change-Id: I89943644f5921f8635e62af82bb472c7bfd5e145 Reviewed-on: https://chromium-review.googlesource.com/874696 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#50707} [modify] https://crrev.com/6da9254ccbbcecf882e2f87eaf71c231edff44e5/src/wasm/wasm-js.cc [modify] https://crrev.com/6da9254ccbbcecf882e2f87eaf71c231edff44e5/test/mjsunit/wasm/memory-size.js
,
Jan 19 2018
hablich@ for M65 merge review (M65 is branched at 3325, chromium revision 530369)
,
Jan 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/60d13f8af042bebb93f25ebc6e81a703a57bf9d4 commit 60d13f8af042bebb93f25ebc6e81a703a57bf9d4 Author: Bill Budge <bbudge@chromium.org> Date: Fri Jan 19 22:36:21 2018 Reland [partition_alloc] Allow 2 GiB direct mapped allocations. - Raises the limit of direct mapped allocations. WASM needs to be able to allocate 2GiB regions. - Manual reland. Fixed another test. Bug: chromium:801604 Change-Id: I1e19246cbc47eff22e770db84b29e6aac91e7ac9 Reviewed-on: https://chromium-review.googlesource.com/876484 Reviewed-by: Chris Palmer <palmer@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Bill Budge <bbudge@chromium.org> Cr-Commit-Position: refs/heads/master@{#530635} [modify] https://crrev.com/60d13f8af042bebb93f25ebc6e81a703a57bf9d4/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/60d13f8af042bebb93f25ebc6e81a703a57bf9d4/base/allocator/partition_allocator/partition_alloc.h [modify] https://crrev.com/60d13f8af042bebb93f25ebc6e81a703a57bf9d4/base/allocator/partition_allocator/partition_alloc_unittest.cc
,
Jan 20 2018
,
Jan 22 2018
In which release can we expect this fix to be available?
,
Jan 22 2018
,
Jan 22 2018
This bug requires manual review: We are only 0 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
Issue 803786 has been merged into this issue.
,
Jan 22 2018
This also affects 64 (see merged issue). bbudge@ is OOO, titzer@ could you please merge the patch to 64 too?
,
Jan 22 2018
,
Jan 22 2018
,
Jan 22 2018
I'm having trouble understanding which patch is to be merged from that bug. There are two different ones, one touching partition_alloc.cc and one touching wasm-js.cc. Brad, do you have more context here?
,
Jan 22 2018
titzer replied that the relevant patch is bbudge's (60d13f8af042bebb93f25ebc6e81a703a57bf9d4). Note that this is a Chromium change, not a v8 one. I'm attempting to merge now, using Gerrit.
,
Jan 22 2018
Unfortunately the patch does not merge cleanly, am currently attempting to prepare a manual merge.
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b7dcc44bce545d96d3dcc11a569ab56c01884bdc commit b7dcc44bce545d96d3dcc11a569ab56c01884bdc Author: Adam Klein <adamk@chromium.org> Date: Mon Jan 22 22:50:49 2018 Reland [partition_alloc] Allow 2 GiB direct mapped allocations. - Raises the limit of direct mapped allocations. WASM needs to be able to allocate 2GiB regions. - Manual reland. Fixed another test. Originally Reviewed-on: https://chromium-review.googlesource.com/876484 (cherry picked from commit 60d13f8af042bebb93f25ebc6e81a703a57bf9d4) TBR=bbudge@chromium.org Bug: chromium:801604 Change-Id: Ic259a955f4d6ca3101c9943c36e996615356540f Reviewed-on: https://chromium-review.googlesource.com/879267 Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/branch-heads/3282@{#575} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840} [modify] https://crrev.com/b7dcc44bce545d96d3dcc11a569ab56c01884bdc/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/b7dcc44bce545d96d3dcc11a569ab56c01884bdc/base/allocator/partition_allocator/partition_alloc.h [modify] https://crrev.com/b7dcc44bce545d96d3dcc11a569ab56c01884bdc/base/allocator/partition_allocator/partition_alloc_unittest.cc
,
Jan 23 2018
Thanks Adam!
,
Jan 23 2018
Pls merge your change to M65 branch 3325 before 1:00 PM PT today, Tuesday (01/23/18) so we can pick it up for dev release tomorrow. Thank you.
,
Jan 23 2018
AFAICT, it's only Bill's change that needs to be backmerged to M65. Brad's change was cosmetic and included a test, but not functionality change.
,
Jan 23 2018
The fix missed the branch cut for M65, please also merge it to 65.
,
Jan 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fc055b8be098f9e8875be0352091dc01223d6bc3 commit fc055b8be098f9e8875be0352091dc01223d6bc3 Author: Bill Budge <bbudge@chromium.org> Date: Tue Jan 23 18:30:03 2018 Reland [partition_alloc] Allow 2 GiB direct mapped allocations. - Raises the limit of direct mapped allocations. WASM needs to be able to allocate 2GiB regions. - Manual reland. Fixed another test. Originally Reviewed-on: https://chromium-review.googlesource.com/876484 (cherry picked from commit 60d13f8af042bebb93f25ebc6e81a703a57bf9d4) Tbr: bbudge@chromium.org Bug: chromium:801604 Change-Id: I1e19246cbc47eff22e770db84b29e6aac91e7ac9 Reviewed-on: https://chromium-review.googlesource.com/881646 Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/branch-heads/3325@{#30} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/fc055b8be098f9e8875be0352091dc01223d6bc3/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/fc055b8be098f9e8875be0352091dc01223d6bc3/base/allocator/partition_allocator/partition_alloc.h [modify] https://crrev.com/fc055b8be098f9e8875be0352091dc01223d6bc3/base/allocator/partition_allocator/partition_alloc_unittest.cc |
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by tkent@chromium.org
, Jan 15 2018