Closed
Bug 1145990
Opened 9 years ago
Closed 9 years ago
"error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated" with js1_5/Array/regress-474529.js
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1140655
People
(Reporter: arai, Unassigned)
Details
(Keywords: csectype-uaf, sec-high)
(similar to bug 1140773) Happens only with js shell built with entire firefox (./mach build). Not yet happened with standalone js shell build for me (configure + make in js/src). Revision: b8e628af0b5c .mozconfig: mk_add_options AUTOCLOBBER=1 export MOZ_PACKAGE_JSSHELL=1 ac_add_options --enable-warnings-as-errors Command: js/src/tests/jstests.py path/to/js js1_5/Array/regress-474529.js Output: ---- ## js1_5/Array/regress-474529.js: rc = -6, run time = 1.127071 BUGNUMBER: 474529 STATUS: Do not assert: _buf->_nextPage Size Rep. Literal new Arr Array() ==== ===== ======= ======= ======= 2 9000 1 0 0 3 7000 0 0 1 5 4000 0 0 1 9 2000 0 0 0 17 2000 0 1 0 33 2000 0 1 1 65 800 0 0 0 129 800 0 2 1 257 800 0 2 3 513 300 0 2 2 1025 100 0 2 2 2049 100 0 7 7 PASSED! Do not assert: _buf->_nextPage js(7007,0x101f04000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug REGRESSION - js1_5/Array/regress-474529.js [0|1|0|0] 100% ==========================================================>| 1.1s REGRESSIONS js1_5/Array/regress-474529.js FAIL ---- Here is debug log: ---- (lldb) run --baseline-eager --no-fpu -f shell.js -f js1_5/shell.js -f js1_5/Array/shell.js -f js1_5/Array/regress-474529.js BUGNUMBER: 474529 STATUS: Do not assert: _buf->_nextPage Size Rep. Literal new Arr Array() ==== ===== ======= ======= ======= 2 9000 1 0 1 3 7000 0 1 0 5 4000 1 0 1 9 2000 0 0 1 17 2000 0 1 0 33 2000 0 1 1 65 800 0 0 1 129 800 0 1 1 257 800 0 3 2 513 300 0 2 2 1025 100 0 1 1 2049 100 0 1 1 PASSED! Do not assert: _buf->_nextPage js(6967,0x101caf000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug Process 6967 stopped * thread #2: tid = 0x381128, 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10, name = 'Analysis Helper', stop reason = signal SIGABRT frame #0: 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10 libsystem_kernel.dylib`__pthread_kill + 10: -> 0x7fff87761866: jae 0x7fff87761870 ; __pthread_kill + 20 0x7fff87761868: movq %rax, %rdi 0x7fff8776186b: jmp 0x7fff8775e175 ; cerror_nocancel 0x7fff87761870: retq (lldb) bt * thread #2: tid = 0x381128, 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10, name = 'Analysis Helper', stop reason = signal SIGABRT * frame #0: 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10 frame #1: 0x00007fff84c8235c libsystem_pthread.dylib`pthread_kill + 92 frame #2: 0x00007fff8b451b1a libsystem_c.dylib`abort + 125 frame #3: 0x00007fff8ee5e07f libsystem_malloc.dylib`free + 411 frame #4: 0x0000000100135ff0 js`js::Nursery::FreeHugeSlotsTask::run() [inlined] js_free(p=<unavailable>) + 12 at Utility.h:146 frame #5: 0x0000000100135fe4 js`js::Nursery::FreeHugeSlotsTask::run() [inlined] js::FreeOp::free_(p=<unavailable>) at Runtime.h:1501 frame #6: 0x0000000100135fe4 js`js::Nursery::FreeHugeSlotsTask::run(this=0x0000000101f0a340) + 100 at Nursery.cpp:1002 frame #7: 0x0000000100161653 js`js::HelperThread::threadLoop() [inlined] js::GCParallelTask::runFromHelperThread(this=0x0000000101f0a340) + 35 at HelperThreads.cpp:817 frame #8: 0x0000000100161630 js`js::HelperThread::threadLoop() [inlined] js::HelperThread::handleGCParallelWorkload(this=<unavailable>) + 29 at HelperThreads.cpp:841 frame #9: 0x0000000100161613 js`js::HelperThread::threadLoop(this=0x0000000101f49800) + 1075 at HelperThreads.cpp:1405 frame #10: 0x00000001018029f1 libnss3.dylib`_pt_root(arg=0x0000000101f311a0) + 209 at ptthread.c:212 frame #11: 0x00007fff84c81899 libsystem_pthread.dylib`_pthread_body + 138 frame #12: 0x00007fff84c8172a libsystem_pthread.dylib`_pthread_start + 137 frame #13: 0x00007fff84c85fc9 libsystem_pthread.dylib`thread_start + 13 ----
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Keywords: csectype-uaf,
sec-high
You need to log in
before you can comment on or make changes to this bug.
Description
•