Need help with patch allowing to iterate over all objects
Benoit Jacob
jacob.benoit.1 at gmail.com
Fri Aug 24 16:33:05 PDT 2012
Thanks Jason.
The application (Firefox) doesn't crash without my patch, and I just
got this different assertion failure, this time in malloc:
(gdb) frame 1
#1 0x00000000004175e7 in arena_chunk_validate_zeroed
(chunk=0x7fffd5100000, run_ind=15) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:186
186 assert(p[i] == 0);
(gdb) l
181 {
182 size_t i;
183 UNUSED size_t *p = (size_t *)((uintptr_t)chunk +
(run_ind << LG_PAGE));
184
185 for (i = 0; i < PAGE / sizeof(size_t); i++)
186 assert(p[i] == 0);
187 }
188
189 static void
190 arena_run_split(arena_t *arena, arena_run_t *run, size_t size,
bool large,
(gdb) bt
#0 0x0000000000411605 in moz_abort () at
/hack/mozilla-central/memory/build/extraMallocFuncs.c:116
#1 0x00000000004175e7 in arena_chunk_validate_zeroed
(chunk=0x7fffd5100000, run_ind=15) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:186
#2 0x0000000000417f27 in arena_run_split (arena=0x7ffff6c00180,
run=0x7fffd510e000, size=8192, large=false, binind=7, zero=false) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:334
#3 0x00000000004188e5 in arena_run_alloc_helper
(arena=0x7ffff6c00180, size=8192, large=false, binind=7, zero=false)
at /hack/mozilla-central/memory/jemalloc/src/src/arena.c:495
#4 0x0000000000418a0c in arena_run_alloc (arena=0x7ffff6c00180,
size=8192, large=false, binind=7, zero=false) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:515
#5 0x000000000041acc8 in arena_bin_nonfull_run_get
(arena=0x7ffff6c00180, bin=0x7ffff6c00698) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:1108
#6 0x000000000041ae93 in arena_bin_malloc_hard (arena=0x7ffff6c00180,
bin=0x7ffff6c00698) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:1156
#7 0x000000000041b225 in arena_tcache_fill_small
(arena=0x7ffff6c00180, tbin=0x7fffd44eb108, binind=7,
prof_accumbytes=0) at
/hack/mozilla-central/memory/jemalloc/src/src/arena.c:1232
#8 0x000000000043c273 in tcache_alloc_small_hard
(tcache=0x7fffd44eb000, tbin=0x7fffd44eb108, binind=7) at
/hack/mozilla-central/memory/jemalloc/src/src/tcache.c:72
#9 0x000000000043b816 in tcache_alloc_small (tcache=0x7fffd44eb000,
size=104, zero=false) at
/hack/mozilla-central/memory/jemalloc/src/include/jemalloc/internal/tcache.h:302
#10 0x0000000000412c26 in arena_malloc (arena=0x0, size=104,
zero=false, try_tcache=true) at
/hack/mozilla-central/memory/jemalloc/src/include/jemalloc/internal/arena.h:869
#11 0x000000000042dce8 in imalloc (size=104) at
src/include/jemalloc/internal/jemalloc_internal.h:735
#12 0x000000000043111c in real_je_malloc (size=104) at
/hack/mozilla-central/memory/jemalloc/src/src/jemalloc.c:829
#13 0x0000000000432fdd in malloc (size=40) at
/hack/mozilla-central/memory/jemalloc/src/src/jemalloc.c:1429
#14 0x00007ffff7fe803c in moz_xmalloc (size=40) at
/hack/mozilla-central/memory/mozalloc/mozalloc.cpp:57
#15 0x00007ffff3af3015 in operator new [] (size=40) at
../../dist/include/mozilla/mozalloc.h:212
#16 jArray<nsString*, int>::newJArray (len=5) at
/hack/mozilla-central/parser/html/jArray.h:57
#17 0x00007ffff3af2684 in nsHtml5HtmlAttributes::nsHtml5HtmlAttributes
(this=0x7fffd510d080, mode=0) at
/hack/mozilla-central/parser/html/nsHtml5HtmlAttributes.cpp:64
#18 0x00007ffff3af4edc in nsHtml5Tokenizer::attributeNameComplete
(this=0x7fffc78098c0) at
/hack/mozilla-central/parser/html/nsHtml5Tokenizer.cpp:330
#19 0x00007ffff3aff8a3 in
nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy> (this=0x7fffc78098c0,
state=13, c=61, pos=583, buf=0x7fffc762a640, reconsume=false,
returnState=2, endPos=1024)
at /hack/mozilla-central/parser/html/nsHtml5Tokenizer.cpp:666
#20 0x00007ffff3af5232 in nsHtml5Tokenizer::tokenizeBuffer
(this=0x7fffc78098c0, buffer=0x7fffc65a57c0) at
/hack/mozilla-central/parser/html/nsHtml5Tokenizer.cpp:410
#21 0x00007ffff3b272b5 in nsHtml5StreamParser::ParseAvailableData
(this=0x7fffdd8e5240) at
/hack/mozilla-central/parser/html/nsHtml5StreamParser.cpp:1360
#22 0x00007ffff3b26322 in nsHtml5StreamParser::DoDataAvailable
(this=0x7fffdd8e5240,
aBuffer=0x7fffc3a5f040
"6-20120823ARTFIG00314-il-y-a-un-an-un-tremblement-de-terre-surprend-les-usa.php\">\273
Il y a un an : un tremblement de terre surprend les USA</a></h1>\n\n
<h1><a href=\"/actualite-france/2012/08/22/010"..., aLength=34048)
at /hack/mozilla-central/parser/html/nsHtml5StreamParser.cpp:1083
#23 0x00007ffff3b264a2 in nsHtml5DataAvailable::Run
(this=0x7fffdcd51590) at
/hack/mozilla-central/parser/html/nsHtml5StreamParser.cpp:1115
#24 0x00007ffff46f54f6 in nsThread::ProcessNextEvent
(this=0x7fffd44a9180, mayWait=true, result=0x7fffd42fedaf) at
/hack/mozilla-central/xpcom/threads/nsThread.cpp:624
#25 0x00007ffff46897ae in NS_ProcessNextEvent_P
(thread=0x7fffd44a9180, mayWait=true) at
/hack/mozilla-central/obj-firefox-debug/xpcom/build/nsThreadUtils.cpp:220
#26 0x00007ffff46f4412 in nsThread::ThreadFunc (arg=0x7fffd44a9180) at
/hack/mozilla-central/xpcom/threads/nsThread.cpp:257
#27 0x00007ffff7fb2e09 in _pt_root (arg=0x7fffd45f74c0) at
/hack/mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:156
#28 0x00007ffff7bc4e9a in start_thread (arg=0x7fffd42ff700) at
pthread_create.c:308
#29 0x00007ffff70f44bd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#30 0x0000000000000000 in ?? ()
Benoit
2012/8/24 Jason Evans <jasone at canonware.com>:
> My guess is that the application is passing a bogus pointer to free(), perhaps one that had already been freed.
>
> Jason
>
> On Aug 24, 2012, at 12:53 PM, Benoit Jacob wrote:
>> In the assertion failure in my last email, I have these local variables:
>>
>> (gdb) p run->nfree
>> $1 = 32767
>> (gdb) p bin_info->nregs
>> $2 = 51
>>
>> Benoit
>>
>> 2012/8/24 Benoit Jacob <jacob.benoit.1 at gmail.com>:
>>> And another crash, also an assertion about nfree not having the expected value:
>>>
>>> <jemalloc>: /hack/mozilla-central/memory/jemalloc/src/src/arena.c:165:
>>> Failed assertion: "run->nfree < bin_info->nregs"
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> 0x0000000000411605 in moz_abort () at
>>> /hack/mozilla-central/memory/build/extraMallocFuncs.c:116
>>> 116 MOZ_CRASH();
>>> (gdb) bt
>>> #0 0x0000000000411605 in moz_abort () at
>>> /hack/mozilla-central/memory/build/extraMallocFuncs.c:116
>>> #1 0x000000000041743a in arena_run_reg_dalloc (run=0x7fffbe37f000,
>>> ptr=0x7fffbe38af00) at
>>> /hack/mozilla-central/memory/jemalloc/src/src/arena.c:165
>>> #2 0x000000000041c5e7 in arena_dalloc_bin_locked
>>> (arena=0x7ffff6c00180, chunk=0x7fffbe300000, ptr=0x7fffbe38af00,
>>> mapelm=0x7fffbe300ce8) at
>>> /hack/mozilla-central/memory/jemalloc/src/src/arena.c:1590
>>> #3 0x000000000043c583 in tcache_bin_flush_small (tbin=0x7ffff6b022c8,
>>> binind=21, rem=51, tcache=0x7ffff6b02000) at
>>> /hack/mozilla-central/memory/jemalloc/src/src/tcache.c:128
>>> #4 0x000000000043bdd3 in tcache_dalloc_small (tcache=0x7ffff6b02000,
>>> ptr=0x7fffca24ff00, binind=21) at
>>> /hack/mozilla-central/memory/jemalloc/src/include/jemalloc/internal/tcache.h:399
>>> #5 0x00000000004132e8 in arena_dalloc (arena=0x7ffff6c00180,
>>> chunk=0x7fffca200000, ptr=0x7fffca24ff00, try_tcache=true) at
>>> /hack/mozilla-central/memory/jemalloc/src/include/jemalloc/internal/arena.h:956
>>> #6 0x000000000042e13d in idalloc (ptr=0x7fffca24ff00) at
>>> src/include/jemalloc/internal/jemalloc_internal.h:840
>>> #7 0x000000000042e18f in iqalloc (ptr=0x7fffca24ff00) at
>>> src/include/jemalloc/internal/jemalloc_internal.h:852
>>> #8 0x0000000000432a58 in real_je_free (ptr=0x7fffca24ff00) at
>>> /hack/mozilla-central/memory/jemalloc/src/src/jemalloc.c:1212
>>> #9 0x00000000004330d8 in free (ptr=0x7fffca24ff20) at
>>> /hack/mozilla-central/memory/jemalloc/src/src/jemalloc.c:1458
>>> #10 0x00007ffff7fe8022 in moz_free (ptr=0x7fffca24ff20) at
>>> /hack/mozilla-central/memory/mozalloc/mozalloc.cpp:51
>>> #11 0x00007ffff472490c in nsStringBuffer::Release
>>> (this=0x7fffca24ff20) at
>>> /hack/mozilla-central/xpcom/string/src/nsSubstring.cpp:161
>>> #12 0x00007ffff3e4c777 in FinalizeDOMString (fin=0x7ffff64b5058,
>>> chars=0x7fffca24ff28) at
>>> /hack/mozilla-central/js/xpconnect/src/XPCString.cpp:27
>>> #13 0x00007ffff514a137 in JSExternalString::finalize
>>> (this=0x7fffbf38d6c0, fop=0x7fffffffa000) at
>>> /hack/mozilla-central/js/src/vm/String-inl.h:439
>>> #14 0x00007ffff515f2a8 in js::gc::Arena::finalize<JSExternalString>
>>> (this=0x7fffbf38d000, fop=0x7fffffffa000,
>>> thingKind=js::gc::FINALIZE_EXTERNAL_STRING, thingSize=32) at
>>> /hack/mozilla-central/js/src/jsgc.cpp:319
>>>
>>>
>>> What can I do to help you help me?
>>>
>>> Could anyone at least give me a quick explanation of what these
>>> assertions are about?
>>>
>>> Thanks!
>>> Benoit
>>>
>>>
>>> 2012/8/21 Benoit Jacob <jacob.benoit.1 at gmail.com>:
>>>> Hi,
>>>>
>>>> I am attaching a patch that allows to iterate over all objects.
>>>>
>>>> This is not a request for upstreaming: these patches cause crashes and I
>>>> need help understanding these. And even if it didn't crash, this patch
>>>> causes a severe overhead in memory usage and no attempt has been made to
>>>> mitigate it. The goal of this effort is to allow custom developer builds of
>>>> Firefox to introspect their own allocated blocks.
>>>>
>>>> The patch (attached to this email) works by renaming the public functions
>>>> such as je_malloc() to real_je_malloc() and implementing custom je_malloc()
>>>> to allocate a larger block, and use the extra space to store the data of a
>>>> doubly-linked list element.
>>>>
>>>> In principle, this should be entirely transparent to the user (except for
>>>> the increased memory usage), so I don't understand the crashes.
>>>>
>>>> The crashes aren't immediate: I can run Firefox (this patch if for Firefox's
>>>> copy of jemalloc 3.0) for a while and browse a few pages without crashing.
>>>>
>>>> The crashes are assertion failures like this:
>>>>
>>>> Program received signal SIGSEGV, Segmentation fault.
>>>> 0x0000000000411605 in moz_abort ()
>>>> at /hack/mozilla-central/memory/build/extraMallocFuncs.c:116
>>>> 116 MOZ_CRASH();
>>>> (gdb) bt
>>>> #0 0x0000000000411605 in moz_abort ()
>>>> at /hack/mozilla-central/memory/build/extraMallocFuncs.c:116
>>>> #1 0x000000000041afdf in arena_bin_malloc_hard (arena=0x7ffff6c00180,
>>>> bin=0x7ffff6c007c8)
>>>> at /hack/mozilla-central/memory/jemalloc/src/src/arena.c:1189
>>>> #2 0x000000000041b225 in arena_tcache_fill_small (arena=0x7ffff6c00180,
>>>> tbin=0x7ffff6b02148, binind=9, prof_accumbytes=0)
>>>> at /hack/mozilla-central/memory/jemalloc/src/src/arena.c:1232
>>>> #3 0x000000000043c239 in tcache_alloc_small_hard (tcache=0x7ffff6b02000,
>>>> tbin=0x7ffff6b02148, binind=9)
>>>> at /hack/mozilla-central/memory/jemalloc/src/src/tcache.c:72
>>>> #4 0x000000000043b7dc in tcache_alloc_small (tcache=0x7ffff6b02000,
>>>> size=160, zero=false)
>>>> at
>>>> /hack/mozilla-central/memory/jemalloc/src/include/jemalloc/internal/tcache.h:302
>>>> #5 0x0000000000412c26 in arena_malloc (arena=0x0, size=160, zero=false,
>>>> try_tcache=true)
>>>> at
>>>> /hack/mozilla-central/memory/jemalloc/src/include/jemalloc/internal/arena.h:869
>>>> #6 0x000000000042dce8 in imalloc (size=160)
>>>> at src/include/jemalloc/internal/jemalloc_internal.h:735
>>>> #7 0x000000000043111c in real_je_malloc (size=160)
>>>> at /hack/mozilla-central/memory/jemalloc/src/src/jemalloc.c:829
>>>> #8 0x0000000000432fa3 in malloc (size=128)
>>>> at /hack/mozilla-central/memory/jemalloc/src/src/jemalloc.c:1425
>>>> #9 0x00007ffff7fe803c in moz_xmalloc (size=128)
>>>> at /hack/mozilla-central/memory/mozalloc/mozalloc.cpp:57
>>>> #10 0x00007ffff2dcb74d in nsTArrayInfallibleAllocator::Malloc (size=128)
>>>> at ../../dist/include/nsTArray.h:56
>>>> ...
>>>>
>>>> Printing some variables here:
>>>>
>>>> (gdb) up
>>>> #1 0x000000000041afdf in arena_bin_malloc_hard (arena=0x7ffff6c00180,
>>>> bin=0x7ffff6c007c8)
>>>> at /hack/mozilla-central/memory/jemalloc/src/src/arena.c:1189
>>>> 1189 assert(bin->runcur->nfree > 0);
>>>> (gdb) p bin
>>>> $1 = (arena_bin_t *) 0x7ffff6c007c8
>>>> (gdb) p *bin
>>>> $2 = {lock = {lock = {__data = {__lock = 1, __count = 0, __owner = 6469,
>>>> __nusers = 1,
>>>> __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}},
>>>> __size = "\001\000\000\000\000\000\000\000E\031\000\000\001", '\000'
>>>> <repeats 26 times>, __align = 1}}, runcur = 0x7fffc2ced000, runs = {rbt_root
>>>> = 0x7fffca3004d8, rbt_nil = {{
>>>> u = {rb_link = {rbn_left = 0x7ffff6c00800, rbn_right_red =
>>>> 0x7ffff6c00800},
>>>> ql_link = {qre_next = 0x7ffff6c00800, qre_prev = 0x7ffff6c00800}},
>>>> prof_ctx = 0x7ffff6c00800}, bits = 0}}, stats = {allocated =
>>>> 8896000,
>>>> nmalloc = 197757, ndalloc = 142157, nrequests = 300344, nfills = 5545,
>>>> nflushes = 2848, nruns = 2802, reruns = 5838, curruns = 1143}}
>>>> (gdb) p bin->runcur
>>>> $3 = (arena_run_t *) 0x7fffc2ced000
>>>> (gdb) p *(bin->runcur)
>>>> $4 = {bin = 0x7ffff6c007c8, nextind = 4544384, nfree = 0}
>>>>
>>>> Any help would be greatly appreciated.
>>>>
>>>> Thanks,
>>>> Benoit
>> _______________________________________________
>> jemalloc-discuss mailing list
>> jemalloc-discuss at canonware.com
>> http://www.canonware.com/mailman/listinfo/jemalloc-discuss
>>
>
More information about the jemalloc-discuss
mailing list