Closed Bug 1145990 Opened 9 years ago Closed 9 years ago

"error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated" with js1_5/Array/regress-474529.js

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1140655

People

(Reporter: arai, Unassigned)

Details

(Keywords: csectype-uaf, sec-high) 

(similar to bug 1140773)

Happens only with js shell built with entire firefox (./mach build). Not yet happened with standalone js shell build for me (configure + make in js/src).

Revision:
  b8e628af0b5c

.mozconfig:
  mk_add_options AUTOCLOBBER=1
  export MOZ_PACKAGE_JSSHELL=1
  ac_add_options --enable-warnings-as-errors

Command:
  js/src/tests/jstests.py path/to/js js1_5/Array/regress-474529.js

Output:
----
## js1_5/Array/regress-474529.js: rc = -6, run time = 1.127071
BUGNUMBER: 474529
STATUS: Do not assert: _buf->_nextPage
Size	Rep.	Literal	new Arr	Array()
====	=====	=======	=======	=======
2	9000	1	0	0
3	7000	0	0	1
5	4000	0	0	1
9	2000	0	0	0
17	2000	0	1	0
33	2000	0	1	1
65	800	0	0	0
129	800	0	2	1
257	800	0	2	3
513	300	0	2	2
1025	100	0	2	2
2049	100	0	7	7
 PASSED! Do not assert: _buf->_nextPage
js(7007,0x101f04000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
REGRESSION - js1_5/Array/regress-474529.js
[0|1|0|0] 100% ==========================================================>|   1.1s
REGRESSIONS
    js1_5/Array/regress-474529.js
FAIL
----

Here is debug log:

----
(lldb) run --baseline-eager --no-fpu -f shell.js -f js1_5/shell.js -f js1_5/Array/shell.js -f js1_5/Array/regress-474529.js
BUGNUMBER: 474529
STATUS: Do not assert: _buf->_nextPage
Size	Rep.	Literal	new Arr	Array()
====	=====	=======	=======	=======
2	9000	1	0	1
3	7000	0	1	0
5	4000	1	0	1
9	2000	0	0	1
17	2000	0	1	0
33	2000	0	1	1
65	800	0	0	1
129	800	0	1	1
257	800	0	3	2
513	300	0	2	2
1025	100	0	1	1
2049	100	0	1	1
 PASSED! Do not assert: _buf->_nextPage
js(6967,0x101caf000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Process 6967 stopped
* thread #2: tid = 0x381128, 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10, name = 'Analysis Helper', stop reason = signal SIGABRT
    frame #0: 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10
libsystem_kernel.dylib`__pthread_kill + 10:
-> 0x7fff87761866:  jae    0x7fff87761870            ; __pthread_kill + 20
   0x7fff87761868:  movq   %rax, %rdi
   0x7fff8776186b:  jmp    0x7fff8775e175            ; cerror_nocancel
   0x7fff87761870:  retq   
(lldb) bt
* thread #2: tid = 0x381128, 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10, name = 'Analysis Helper', stop reason = signal SIGABRT
  * frame #0: 0x00007fff87761866 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007fff84c8235c libsystem_pthread.dylib`pthread_kill + 92
    frame #2: 0x00007fff8b451b1a libsystem_c.dylib`abort + 125
    frame #3: 0x00007fff8ee5e07f libsystem_malloc.dylib`free + 411
    frame #4: 0x0000000100135ff0 js`js::Nursery::FreeHugeSlotsTask::run() [inlined] js_free(p=<unavailable>) + 12 at Utility.h:146
    frame #5: 0x0000000100135fe4 js`js::Nursery::FreeHugeSlotsTask::run() [inlined] js::FreeOp::free_(p=<unavailable>) at Runtime.h:1501
    frame #6: 0x0000000100135fe4 js`js::Nursery::FreeHugeSlotsTask::run(this=0x0000000101f0a340) + 100 at Nursery.cpp:1002
    frame #7: 0x0000000100161653 js`js::HelperThread::threadLoop() [inlined] js::GCParallelTask::runFromHelperThread(this=0x0000000101f0a340) + 35 at HelperThreads.cpp:817
    frame #8: 0x0000000100161630 js`js::HelperThread::threadLoop() [inlined] js::HelperThread::handleGCParallelWorkload(this=<unavailable>) + 29 at HelperThreads.cpp:841
    frame #9: 0x0000000100161613 js`js::HelperThread::threadLoop(this=0x0000000101f49800) + 1075 at HelperThreads.cpp:1405
    frame #10: 0x00000001018029f1 libnss3.dylib`_pt_root(arg=0x0000000101f311a0) + 209 at ptthread.c:212
    frame #11: 0x00007fff84c81899 libsystem_pthread.dylib`_pthread_body + 138
    frame #12: 0x00007fff84c8172a libsystem_pthread.dylib`_pthread_start + 137
    frame #13: 0x00007fff84c85fc9 libsystem_pthread.dylib`thread_start + 13
----
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.