On 2/27/2014 1:56 PM, Jan de Mooij wrote:
Most of these crashes were either obvious memory corruption (for
instance, a typical instruction sequence with 4 corrupt bytes in the
middle), invalid instruction pointer or valid JIT code but accessing a
bogus (object) pointer, suggesting a problem elsewhere.
There are some different scenarios here:
A. We're executing JIT code which used to be valid but we freed it.
Memory poisoning should help identify this case.
B. We're executing JIT code which is touching a bad external pointer. We
can tell from the crash reason whether this is an invalid read/write and
we should probably include this information in the signature for JIT
crashes.
C. We're executing active JIT code but it got corrupted (memory-stomped)
somehow. no-write mapping of JIT pages might help here.
D. We're executing active JIT code which has not been corrupted but is
still somehow incorrect and causing crashes.
One of the things that would be really nice that we've talked about in
the past is storing in the minidump an exact list of which pages contain
JIT code and if possible, which memory regions are "active" JIT code. I
don't know whether this is feasible, but it would greatly help in
classifying crashes. If we could for instance keep the information about
live JIT code blocks in a few pages of memory, we can include those
pages of memory in the minidump.
Downloading minidumps and disassembling them takes a lot of time
though; it'd be really great if we could integrate this into
crash-stats, so that we can analyze dumps much faster.
I filed bug 977778 on this. It's certainly not going to happen this
quarter but perhaps next quarter.
I also found
bug 627111 [1] to automatically categorize JIT crashes. If we could
run that script every day and post the results as a graph somewhere it
may be easier to detect new crashes.
It may be possible to do this classification automatically nowadays.
Ted, is there anything particularly expensive about that tool which
would prevent us from running it as part of the normal
json-minidump-stackwalk process? Then we can pretty easily write a
crash-stats classifier for it.
--BDS
_______________________________________________
dev-tech-js-engine-internals mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
