Closed
Bug 788631
Opened 12 years ago
Closed 12 years ago
incorrect munmap in mozglue/linker/Mappable.cpp?
Categories
(Core :: mozglue, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: spam_hole, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: See http://hg.mozilla.org/mozilla-central/file/eb201b1e55fd/mozglue/linker/Mappable.cpp#l251. To me this looks like a bug: the munmap call will unmap a region of memory based off 'this' (which could in fact be very, very far away from 'this' because the pointer arithmetic is based on _MappableBuffer-sized chunks), instead of from 'buf' (which was the original allocation). Actual results: The result is likely to be nothing in the majority of cases, or a random difficult-to-pin-down crash when some other component finds a small page-sized hole in its memory. The latter is what triggered an investigation using ptrace, which found the random munmap call to be the culprit. Expected results: 'this' should be changed to 'buf'.
Updated•12 years ago
|
Component: General → mozglue
Product: Firefox for Android → Core
Version: Firefox 14 → Trunk
Comment 1•12 years ago
|
||
_MappableBuffer inherits from MappedPtr, which has an operator + doing the right thing. Kind of ugly, but this code will eventually go away with bug 725231
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Odd. I was definitely seeing an invalid ("wild") non-aligned `munmap` call in ptrace coming from Mozilla. Maybe it was something else. Maybe it'll go away when that code is removed; otherwise I'll do some more digging and submit a new bug.
You need to log in
before you can comment on or make changes to this bug.
Description
•