New issue
Advanced search Search tips

Issue 893096 link

Starred by 1 user
Status: Fixed
Owner:
clemensh@chromium.org
Closed: Oct 8
Cc:
ahaas@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

[wasm] Code space management broken on windows

Project Member Reported by clemensh@chromium.org, Oct 8 
The tracking of committed code space is broken on windows, resulting in the counters for committed code space and remaining uncomitted code space to be broken. This can lead to OOM issues because we use more than kMaxWasmCodeMemory bytes of code space. It also has security implications if this limit can be bypassed.

This is the buggy code (in wasm-code-manager.cc):

 708   if (commit_start < commit_end) {
 709 #if V8_OS_WIN
[...]
 715     for (auto& vmem : base::Reversed(owned_code_space_)) {
[...]
 727       if (commit_start == start) commit_start = end;
 728       if (commit_end == end) commit_end = start;
 729       if (commit_start >= commit_end) break;
 730     }
[...]
 738 #endif                                                                           
 739     committed_code_space_.fetch_add(commit_end - commit_start);                  


Since commit_start and commit_end are updated in the loop, the fetch_add will not add a correct number. In fact, commit_end might be smaller than commit_start at that point.
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 8 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/eeb15e84b5d448bf43f8da9d1cf4c7b439b158d4

commit eeb15e84b5d448bf43f8da9d1cf4c7b439b158d4
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon Oct 08 11:28:23 2018

[wasm] Fix code space management

On windows, the {NativeModule::committed_code_space_} counter can underflow because
of a bug. This propagates to {WasmCodeManager::remaining_uncommitted_code_space_},
which can lead to over-allocation (more than {kMaxWasmCodeMemory} bytes of code
space per module).

We were also seeing this bug on UMA data (>1024 MB code space usage).

R=ahaas@chromium.org

Bug:  chromium:893096 

Change-Id: If3c9b3e7bdc9fc3caf1eccae991123409718b90f
Reviewed-on: https://chromium-review.googlesource.com/c/1267943
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56440}
[modify] https://crrev.com/eeb15e84b5d448bf43f8da9d1cf4c7b439b158d4/src/wasm/wasm-code-manager.cc

Comment 2 by clemensh@chromium.org, Oct 8

Status: Fixed (was: Started)
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 8

Labels: -Pri-1 Pri-2
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 8

Labels: Restrict-View-SecurityNotify
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 14

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment