| commit | 22aa4f5f8580f61dca90e613c4153c8ac704ec73 | |
| author | simonb@chromium.org <simonb@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | |
| Thu, 7 Aug 2014 19:55:36 +0000 (7 19:55 +0000) | ||
| committer | simonb@chromium.org <simonb@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | |
| Thu, 7 Aug 2014 19:55:36 +0000 (7 19:55 +0000) | ||
| tree | a9e0b2c35624748dca53364441e49cdec57bc20c | treesnapshot (tar.gz zip) |
| parent | 6a14e28bd14a72e362eca7436fced47c44c494e2 | commitdiff |
Speculative fix for occasional crazy linker crash.
crbug/397634 describes crashes that occur occasionally in the crazy linker
when loading the browser shared library. These crashes have been observed
only in the M37 beta.
The current theory is that part of the address range that the crazy linker
must map with MAP_FIXED for shared RELRO to work may, on occasions,
already be mapped. If it is mapped then the crazy linker's MAP_FIXED
to reserve space will overwrite it, with unpleasant results. The crazy
linker tries to use a range of addresses that is 'safe' from use by the
system, but it may not be watertight.
This fix should work round the problem by removing the MAP_FIXED from
the mmap that reserves space, so that if any part of the range is already
occupied then the mmap returns a valid mapping, just not at the requested
address. If that happens the fixed address load fails, and the
ChildProcessService retries with a non-fixed address.
This is mildly suboptimal since it loses the gain from shared RELRO, but
the library will still load and run. Occurrences of this in the M37
beta suggest that it will be a relatively rare event.
So far the bug reported by the beta has not shown up in testing, but
something a little similar can be simulated by deliberately moving the
crazy linker's wanted address to around the heap. With this perturbation
in place and without this fix, the browser crashes. When this fix is
added the browser/renderer library loads and runs, and correctly reports
back-out and retry in logcat.
BUG=397634
Review URL: https://codereview.chromium.org/443393003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@288126 0039d316-1c4b-4281-b951-d872f2087c98
crbug/397634 describes crashes that occur occasionally in the crazy linker
when loading the browser shared library. These crashes have been observed
only in the M37 beta.
The current theory is that part of the address range that the crazy linker
must map with MAP_FIXED for shared RELRO to work may, on occasions,
already be mapped. If it is mapped then the crazy linker's MAP_FIXED
to reserve space will overwrite it, with unpleasant results. The crazy
linker tries to use a range of addresses that is 'safe' from use by the
system, but it may not be watertight.
This fix should work round the problem by removing the MAP_FIXED from
the mmap that reserves space, so that if any part of the range is already
occupied then the mmap returns a valid mapping, just not at the requested
address. If that happens the fixed address load fails, and the
ChildProcessService retries with a non-fixed address.
This is mildly suboptimal since it loses the gain from shared RELRO, but
the library will still load and run. Occurrences of this in the M37
beta suggest that it will be a relatively rare event.
So far the bug reported by the beta has not shown up in testing, but
something a little similar can be simulated by deliberately moving the
crazy linker's wanted address to around the heap. With this perturbation
in place and without this fix, the browser crashes. When this fix is
added the browser/renderer library loads and runs, and correctly reports
back-out and retry in logcat.
BUG=397634
Review URL: https://codereview.chromium.org/443393003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@288126 0039d316-1c4b-4281-b951-d872f2087c98