Compaction with interior slots broken when having inlined backing stores |
|||||||
Issue descriptionWhen compacting something like HeapHashMap<Key, HeapVector<Member<Value>, 1> the pointer fixup does not properly update the interior pointer (for the inlined vector) of the value. E.g.: https://chromium-review.googlesource.com/c/chromium/src/+/1102883 I cannot yet see how the interior fixup should work. IIUC: 1. Relocate(from, to) is only called on actual objects which means it will never be called for an inlined backing store. 2. As a consequence, RelocateInteriorFixups *must* somewhere write a slot 3. RelocateInteriorFixups only update the interior map though relying on Relocate to find the inner object, which never happens. The end result is that the HashTableBacking moves while the slot pointing to the inlined object is never updated. I currently fail to see how this has ever worked.
,
Aug 17
FYI I have been debugging https://chromium-review.googlesource.com/c/chromium/src/+/1175881 and I haven't figured it out completely but it is definitely heap compaction interior fixup related too.
,
Aug 17
harukamt did not end up excluding kInlineVectorArenaIndex so I don't think that is the problem (CL was abandoned https://chromium-review.googlesource.com/c/chromium/src/+/1161709)
,
Aug 17
Oh, this is about nested HeapVector with inline buffer. I noticed this (potential) issue too when working with harukamt. I think this never worked.
,
Aug 17
kInlineVectorArena is not the problem. Let me elaborate. We allocate a HashTableBacking on the regular backing arena. We then use a HeapHashMap<Member<Value>, 1> which pre-allocates 1 slot of inline storage [1]. We do *not* use more than that. In this case we would have Vector::buffer_ just pointing to this inlined storage. This is not a forwarding pointer to an actual HoH and thus the current mechanism fails to fix it up. IIUC, then this was not introduces recently but has always been a bug. [1] https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/wtf/vector.h?sq=package:chromium&dr=CSs&g=0&l=869
,
Aug 17
Yeah, I now understand. You're right :)
,
Aug 17
fyi: Minimal example here: https://chromium-review.googlesource.com/c/chromium/src/+/1179742
,
Aug 17
,
Aug 20
This is actually a use after free since the pointer that is not updated can be conveniently used by the mutator.
,
Aug 20
I used this query to check for uses of HeapVectors with inline capacities: https://cs.chromium.org/search/?q=HeapVector%3CMember%3C.*%3E,.*%3E&sq=package:chromium&type=cs I manually checked all uses and they are looking good. Obviously I might have missed typedefs here.
,
Aug 20
Afaics, we are not affected by this currently. Since we don't check prohibit the use of nested collections with inline storage I might have missed something though.
,
Aug 20
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f30a46a9e637cb086de3e741cf15a391688932d6 commit f30a46a9e637cb086de3e741cf15a391688932d6 Author: Michael Lippautz <mlippautz@chromium.org> Date: Mon Aug 20 12:20:09 2018 [heap] Support compaction of pre-allocated inline buffers Bug: chromium:875044 Change-Id: I208aca1aeb3488d8880523c35f5e486962039ec6 Reviewed-on: https://chromium-review.googlesource.com/1179742 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#584412} [modify] https://crrev.com/f30a46a9e637cb086de3e741cf15a391688932d6/third_party/blink/renderer/platform/heap/heap_compact.cc [modify] https://crrev.com/f30a46a9e637cb086de3e741cf15a391688932d6/third_party/blink/renderer/platform/heap/heap_compact_test.cc
,
Aug 21
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fabab1887c8422c7b6102db09256617df0bd5c6b commit fabab1887c8422c7b6102db09256617df0bd5c6b Author: Michael Lippautz <mlippautz@chromium.org> Date: Tue Aug 21 09:14:41 2018 [heap] Fix compaction of interior slots Compaction uses overlapping writes which means that the source (from) object may be overwritten by the target (to) object. Since the contents are just copied over the target can be used for reading a slots value. Bug: chromium:875044 Change-Id: I3945fffe4bd1d4f04b57a0964b85d9de7551122e Reviewed-on: https://chromium-review.googlesource.com/1181572 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#584695} [modify] https://crrev.com/fabab1887c8422c7b6102db09256617df0bd5c6b/third_party/blink/renderer/platform/heap/heap_compact.cc
,
Aug 21
,
Aug 21
,
Nov 27
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by haraken@chromium.org
, Aug 17