Closed Bug 788631 Opened 12 years ago Closed 12 years ago

incorrect munmap in mozglue/linker/Mappable.cpp?

Categories

(Core :: mozglue, defect)

Product:
Core
Component:
mozglue
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: spam_hole, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

See http://hg.mozilla.org/mozilla-central/file/eb201b1e55fd/mozglue/linker/Mappable.cpp#l251. To me this looks like a bug: the munmap call will unmap a region of memory based off 'this' (which could in fact be very, very far away from 'this' because the pointer arithmetic is based on _MappableBuffer-sized chunks), instead of from 'buf' (which was the original allocation).


Actual results:

The result is likely to be nothing in the majority of cases, or a random difficult-to-pin-down crash when some other component finds a small page-sized hole in its memory. The latter is what triggered an investigation using ptrace, which found the random munmap call to be the culprit.


Expected results:

'this' should be changed to 'buf'.
Component: General → mozglue
Product: Firefox for Android → Core
Version: Firefox 14 → Trunk
_MappableBuffer inherits from MappedPtr, which has an operator + doing the right thing. Kind of ugly, but this code will eventually go away with bug 725231
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Odd. I was definitely seeing an invalid ("wild") non-aligned `munmap` call in ptrace coming from Mozilla. Maybe it was something else. Maybe it'll go away when that code is removed; otherwise I'll do some more digging and submit a new bug.
You need to log in before you can comment on or make changes to this bug.