Add crash diagnostics for debugging unexpected zapped cells.

mark.lam@apple.com · mark.lam@apple.com · commit 58ea35cbf9ea · 2019-08-02T01:58:11.000Z
https://bugs.webkit.org/show_bug.cgi?id=200149 <rdar://problem/53570112> Reviewed by Yusuke Suzuki. Source/JavaScriptCore: Add a check for zapped cells in SlotVisitor::appendToMarkStack() and SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with some diagnostic info. To facilitate this, we've made the following changes: 1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all cells are at least 16 bytes long. 2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the cell header info intact (including the cell JSType). 3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash the reason immediately after the first 8 bytes. This is the same location as FreeCell::scrambledNext. However, since a cell is not expected to be zapped and on the free list at the same time, it is also fine to do this. 4. Added a few utility functions to MarkedBlock for checking if a cell points into the block. 5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes. 6. Added some comments to document the hashes of known subspaces. 7. Added Options::dumpZappedCellCrashData() to make this check conditional. We use this option to disable this check for slower machines so that their PLT5 performance is not impacted. * assembler/CPU.cpp: (JSC::hwL3CacheSize): (JSC::hwPhysicalCPUMax): * assembler/CPU.h: (JSC::hwL3CacheSize): (JSC::hwPhysicalCPUMax): * heap/FreeList.h: (JSC::FreeCell::offsetOfScrambledNext): * heap/HeapCell.h: (JSC::HeapCell::zap): (JSC::HeapCell::isZapped const): * heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::stopAllocating): * heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::start const): (JSC::MarkedBlock::Handle::end const): (JSC::MarkedBlock::Handle::contains const): * heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep): * heap/MarkedSpace.h: (JSC::MarkedSpace::forEachSubspace): * heap/SlotVisitor.cpp: (JSC::SlotVisitor::appendToMarkStack): (JSC::SlotVisitor::visitChildren): (JSC::SlotVisitor::reportZappedCellAndCrash): * heap/SlotVisitor.h: * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): * runtime/Options.cpp: (JSC::Options::initialize): * runtime/Options.h: * runtime/VM.cpp: (JSC::VM::VM): * tools/JSDollarVM.cpp: (JSC::functionDumpSubspaceHashes): (JSC::JSDollarVM::finishCreation): * tools/VMInspector.cpp: (JSC::VMInspector::dumpSubspaceHashes): * tools/VMInspector.h: Source/WebCore: No new tests because this is a feature for debugging crashes. It has been tested manually by modifying the code to force a crash at the point of interest. Added some comments to document the hashes of known subspaces. * bindings/js/WebCoreJSClientData.cpp: (WebCore::JSVMClientData::JSVMClientData): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@248143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,72 @@
+2019-08-01  Mark Lam  <mark.lam@apple.com>
+
+        Add crash diagnostics for debugging unexpected zapped cells.
+        https://bugs.webkit.org/show_bug.cgi?id=200149
+        <rdar://problem/53570112>
+
+        Reviewed by Yusuke Suzuki.
+
+        Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
+        SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
+        some diagnostic info.
+
+        To facilitate this, we've made the following changes:
+        1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
+           cells are at least 16 bytes long.
+        2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
+           cell header info intact (including the cell JSType).
+        3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
+           the reason immediately after the first 8 bytes.  This is the same location as
+           FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
+           and on the free list at the same time, it is also fine to do this.
+        4. Added a few utility functions to MarkedBlock for checking if a cell points
+           into the block.
+        5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
+        6. Added some comments to document the hashes of known subspaces.
+        7. Added Options::dumpZappedCellCrashData() to make this check conditional.
+           We use this option to disable this check for slower machines so that their
+           PLT5 performance is not impacted.
+
+        * assembler/CPU.cpp:
+        (JSC::hwL3CacheSize):
+        (JSC::hwPhysicalCPUMax):
+        * assembler/CPU.h:
+        (JSC::hwL3CacheSize):
+        (JSC::hwPhysicalCPUMax):
+        * heap/FreeList.h:
+        (JSC::FreeCell::offsetOfScrambledNext):
+        * heap/HeapCell.h:
+        (JSC::HeapCell::zap):
+        (JSC::HeapCell::isZapped const):
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::stopAllocating):
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::start const):
+        (JSC::MarkedBlock::Handle::end const):
+        (JSC::MarkedBlock::Handle::contains const):
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::specializedSweep):
+        * heap/MarkedSpace.h:
+        (JSC::MarkedSpace::forEachSubspace):
+        * heap/SlotVisitor.cpp:
+        (JSC::SlotVisitor::appendToMarkStack):
+        (JSC::SlotVisitor::visitChildren):
+        (JSC::SlotVisitor::reportZappedCellAndCrash):
+        * heap/SlotVisitor.h:
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        * runtime/Options.cpp:
+        (JSC::Options::initialize):
+        * runtime/Options.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * tools/JSDollarVM.cpp:
+        (JSC::functionDumpSubspaceHashes):
+        (JSC::JSDollarVM::finishCreation):
+        * tools/VMInspector.cpp:
+        (JSC::VMInspector::dumpSubspaceHashes):
+        * tools/VMInspector.h:
+
 2019-08-01  Keith Miller  <keith_miller@apple.com>
 
         Fix bug in testMulImm32SignExtend
diff --git a/Source/JavaScriptCore/assembler/CPU.cpp b/Source/JavaScriptCore/assembler/CPU.cpp
@@ -66,6 +66,27 @@ int kernTCSMAwareNumberOfProcessorCores()
     });
     return result;
 }
+
+int64_t hwL3CacheSize()
+{
+    int64_t val = 0;
+    size_t valSize = sizeof(val);
+    int rc = sysctlbyname("hw.l3cachesize", &val, &valSize, nullptr, 0);
+    if (rc < 0)
+        return 0;
+    return val;
+}
+
+int32_t hwPhysicalCPUMax()
+{
+    int64_t val = 0;
+    size_t valSize = sizeof(val);
+    int rc = sysctlbyname("hw.physicalcpu_max", &val, &valSize, nullptr, 0);
+    if (rc < 0)
+        return 0;
+    return val;
+}
+
 #endif // #if (CPU(X86) || CPU(X86_64)) && OS(DARWIN)
 
 } // namespace JSC
diff --git a/Source/JavaScriptCore/assembler/CPU.h b/Source/JavaScriptCore/assembler/CPU.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -145,10 +145,14 @@ inline bool hasSensibleDoubleToInt()
 bool isKernTCSMAvailable();
 bool enableKernTCSM();
 int kernTCSMAwareNumberOfProcessorCores();
+int64_t hwL3CacheSize();
+int32_t hwPhysicalCPUMax();
 #else
 ALWAYS_INLINE bool isKernTCSMAvailable() { return false; }
 ALWAYS_INLINE bool enableKernTCSM() { return false; }
 ALWAYS_INLINE int kernTCSMAwareNumberOfProcessorCores() { return WTF::numberOfProcessorCores(); }
+ALWAYS_INLINE int64_t hwL3CacheSize() { return 0; }
+ALWAYS_INLINE int32_t hwPhysicalCPUMax() { return kernTCSMAwareNumberOfProcessorCores(); }
 #endif
 
 } // namespace JSC
diff --git a/Source/JavaScriptCore/heap/FreeList.h b/Source/JavaScriptCore/heap/FreeList.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -53,6 +53,9 @@ struct FreeCell {
         return descramble(scrambledNext, secret);
     }
     
+    static ptrdiff_t offsetOfScrambledNext() { return OBJECT_OFFSETOF(FreeCell, scrambledNext); }
+
+    uint64_t preservedBitsForCrashAnalysis;
     uintptr_t scrambledNext;
 };
 
diff --git a/Source/JavaScriptCore/heap/HeapCell.h b/Source/JavaScriptCore/heap/HeapCell.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -47,8 +47,17 @@ class HeapCell {
     
     HeapCell() { }
     
-    void zap() { *reinterpret_cast_ptr<uintptr_t**>(this) = 0; }
-    bool isZapped() const { return !*reinterpret_cast_ptr<uintptr_t* const*>(this); }
+    // We're intentionally only zapping the bits for the structureID and leaving
+    // the rest of the cell header bits intact for crash analysis uses.
+    enum ZapReason : int8_t { Unspecified, Destruction, StopAllocating };
+    void zap(ZapReason reason)
+    {
+        uint32_t* cellWords = bitwise_cast<uint32_t*>(this);
+        cellWords[0] = 0;
+        // Leaving cellWords[1] alone for crash analysis if needed.
+        cellWords[2] = reason;
+    }
+    bool isZapped() const { return !*bitwise_cast<const uint32_t*>(this); }
 
     bool isLive();
 
diff --git a/Source/JavaScriptCore/heap/MarkedBlock.cpp b/Source/JavaScriptCore/heap/MarkedBlock.cpp
@@ -161,7 +161,7 @@ void MarkedBlock::Handle::stopAllocating(const FreeList& freeList)
             if (MarkedBlockInternal::verbose)
                 dataLog("Free cell: ", RawPointer(cell), "\n");
             if (m_attributes.destruction == NeedsDestruction)
-                cell->zap();
+                cell->zap(HeapCell::StopAllocating);
             block().clearNewlyAllocated(cell);
         });
     
diff --git a/Source/JavaScriptCore/heap/MarkedBlock.h b/Source/JavaScriptCore/heap/MarkedBlock.h
@@ -198,6 +198,10 @@ class MarkedBlock {
         void didAddToDirectory(BlockDirectory*, size_t index);
         void didRemoveFromDirectory();
         
+        void* start() const { return &m_block->atoms()[0]; }
+        void* end() const { return &m_block->atoms()[m_endAtom]; }
+        bool contains(void* p) const { return start() <= p && p < end(); }
+
         void dumpState(PrintStream&);
         
     private:
diff --git a/Source/JavaScriptCore/heap/MarkedBlockInlines.h b/Source/JavaScriptCore/heap/MarkedBlockInlines.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -258,7 +258,7 @@ void MarkedBlock::Handle::specializedSweep(FreeList* freeList, MarkedBlock::Hand
         JSCell* jsCell = static_cast<JSCell*>(cell);
         if (!jsCell->isZapped()) {
             destroyFunc(vm, jsCell);
-            jsCell->zap();
+            jsCell->zap(HeapCell::Destruction);
         }
     };
     
diff --git a/Source/JavaScriptCore/heap/MarkedSpace.h b/Source/JavaScriptCore/heap/MarkedSpace.h
@@ -124,6 +124,7 @@ class MarkedSpace {
     template<typename Functor> void forEachLiveCell(HeapIterationScope&, const Functor&);
     template<typename Functor> void forEachDeadCell(HeapIterationScope&, const Functor&);
     template<typename Functor> void forEachBlock(const Functor&);
+    template<typename Functor> void forEachSubspace(const Functor&);
 
     void shrink();
     void freeBlock(MarkedBlock::Handle*);
@@ -240,6 +241,16 @@ void MarkedSpace::forEachDirectory(const Functor& functor)
     }
 }
 
+template<typename Functor>
+void MarkedSpace::forEachSubspace(const Functor& functor)
+{
+    for (auto subspace : m_subspaces) {
+        if (functor(*subspace) == IterationStatus::Done)
+            return;
+    }
+}
+
+
 ALWAYS_INLINE size_t MarkedSpace::optimalSizeFor(size_t bytes)
 {
     ASSERT(bytes);
diff --git a/Source/JavaScriptCore/heap/SlotVisitor.cpp b/Source/JavaScriptCore/heap/SlotVisitor.cpp
@@ -286,8 +286,14 @@ template<typename ContainerType>
 ALWAYS_INLINE void SlotVisitor::appendToMarkStack(ContainerType& container, JSCell* cell)
 {
     ASSERT(m_heap.isMarked(cell));
+#if CPU(X86_64)
+    if (Options::dumpZappedCellCrashData()) {
+        if (UNLIKELY(cell->isZapped()))
+            reportZappedCellAndCrash(cell);
+    }
+#endif
     ASSERT(!cell->isZapped());
-    
+
     container.noteMarked();
     
     m_visitCount++;
@@ -385,6 +391,17 @@ ALWAYS_INLINE void SlotVisitor::visitChildren(const JSCell* cell)
     default:
         // FIXME: This could be so much better.
         // https://bugs.webkit.org/show_bug.cgi?id=162462
+#if CPU(X86_64)
+        if (Options::dumpZappedCellCrashData()) {
+            Structure* structure = cell->structure(vm());
+            if (LIKELY(structure)) {
+                const MethodTable* methodTable = &structure->classInfo()->methodTable;
+                methodTable->visitChildren(const_cast<JSCell*>(cell), *this);
+                break;
+            }
+            reportZappedCellAndCrash(const_cast<JSCell*>(cell));
+        }
+#endif
         cell->methodTable(vm())->visitChildren(const_cast<JSCell*>(cell), *this);
         break;
     }
@@ -804,4 +821,33 @@ void SlotVisitor::addParallelConstraintTask(RefPtr<SharedTask<void(SlotVisitor&)
     m_currentSolver->addParallelTask(task, *m_currentConstraint);
 }
 
+#if CPU(X86_64)
+NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void SlotVisitor::reportZappedCellAndCrash(JSCell* cell)
+{
+    MarkedBlock::Handle* foundBlock = nullptr;
+    uint32_t* cellWords = reinterpret_cast_ptr<uint32_t*>(this);
+
+    uintptr_t cellAddress = bitwise_cast<uintptr_t>(cell);
+    uintptr_t headerWord = cellWords[1];
+    uintptr_t zapReason = cellWords[2];
+    unsigned subspaceHash = 0;
+    size_t cellSize = 0;
+
+    m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* block) {
+        if (block->contains(cell)) {
+            foundBlock = block;
+            return IterationStatus::Done;
+        }
+        return IterationStatus::Continue;
+    });
+
+    if (foundBlock) {
+        subspaceHash = StringHasher::computeHash(foundBlock->subspace()->name());
+        cellSize = foundBlock->cellSize();
+    }
+
+    CRASH_WITH_INFO(cellAddress, headerWord, zapReason, subspaceHash, cellSize);
+}
+#endif // PLATFORM(MAC)
+
 } // namespace JSC
diff --git a/Source/JavaScriptCore/heap/SlotVisitor.h b/Source/JavaScriptCore/heap/SlotVisitor.h
@@ -227,6 +227,10 @@ class SlotVisitor {
     bool hasWork(const AbstractLocker&);
     bool didReachTermination(const AbstractLocker&);
 
+#if CPU(X86_64)
+    NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCrash(JSCell*);
+#endif
+
     template<typename Func>
     IterationStatus forEachMarkStack(const Func&);
 
diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.cpp b/Source/JavaScriptCore/jit/AssemblyHelpers.cpp
@@ -546,7 +546,7 @@ void AssemblyHelpers::emitAllocateWithNonNullAllocator(GPRReg resultGPR, const J
         
     // The object is half-allocated: we have what we know is a fresh object, but
     // it's still on the GC's free list.
-    loadPtr(Address(resultGPR), scratchGPR);
+    loadPtr(Address(resultGPR, FreeCell::offsetOfScrambledNext()), scratchGPR);
     storePtr(scratchGPR, Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfScrambledHead()));
         
     done.link(this);
diff --git a/Source/JavaScriptCore/runtime/Options.cpp b/Source/JavaScriptCore/runtime/Options.cpp
@@ -604,6 +604,11 @@ void Options::initialize()
                 }
             }
 #endif
+
+#if CPU(X86_64) && OS(DARWIN)
+            Options::dumpZappedCellCrashData() =
+                (hwPhysicalCPUMax() >= 4) && (hwL3CacheSize() >= static_cast<int64_t>(6 * MB));
+#endif
         });
 }
 
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
@@ -241,6 +241,7 @@ constexpr bool enableWebAssemblyStreamingApi = false;
     v(bool, useBumpAllocator, true, Normal, nullptr) \
     v(bool, stealEmptyBlocksFromOtherAllocators, true, Normal, nullptr) \
     v(bool, eagerlyUpdateTopCallFrame, false, Normal, nullptr) \
+    v(bool, dumpZappedCellCrashData, false, Normal, nullptr) \
     \
     v(bool, useOSREntryToDFG, true, Normal, nullptr) \
     v(bool, useOSREntryToFTL, true, Normal, nullptr) \
diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp
diff --git a/Source/JavaScriptCore/tools/JSDollarVM.cpp b/Source/JavaScriptCore/tools/JSDollarVM.cpp
diff --git a/Source/JavaScriptCore/tools/VMInspector.cpp b/Source/JavaScriptCore/tools/VMInspector.cpp
diff --git a/Source/JavaScriptCore/tools/VMInspector.h b/Source/JavaScriptCore/tools/VMInspector.h
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
diff --git a/Source/WebCore/bindings/js/WebCoreJSClientData.cpp b/Source/WebCore/bindings/js/WebCoreJSClientData.cpp

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.`
	`2`	`+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.`
`3`	`3`	`*`
`4`	`4`	`* Redistribution and use in source and binary forms, with or without`
`5`	`5`	`* modification, are permitted provided that the following conditions`
`@@ -53,6 +53,9 @@ struct FreeCell {`
`53`	`53`	`return descramble(scrambledNext, secret);`
`54`	`54`	`}`
`55`	`55`
	`56`	`+ static ptrdiff_t offsetOfScrambledNext() { return OBJECT_OFFSETOF(FreeCell, scrambledNext); }`
	`57`	`+`
	`58`	`+ uint64_t preservedBitsForCrashAnalysis;`
`56`	`59`	`uintptr_t scrambledNext;`
`57`	`60`	`};`
`58`	`61`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.`
	`2`	`+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.`
`3`	`3`	`*`
`4`	`4`	`* Redistribution and use in source and binary forms, with or without`
`5`	`5`	`* modification, are permitted provided that the following conditions`
`@@ -258,7 +258,7 @@ void MarkedBlock::Handle::specializedSweep(FreeList* freeList, MarkedBlock::Hand`
`258`	`258`	`JSCell* jsCell = static_cast<JSCell*>(cell);`
`259`	`259`	`if (!jsCell->isZapped()) {`
`260`	`260`	`destroyFunc(vm, jsCell);`
`261`		`- jsCell->zap();`
	`261`	`+ jsCell->zap(HeapCell::Destruction);`
`262`	`262`	`}`
`263`	`263`	`};`
`264`	`264`