Closed
Bug 1063180
Opened 10 years ago
Closed 10 years ago
Crash with glibc-detected free on invalid pointer [@ maybeAnalyze]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla35
Tracking | Status | |
---|---|---|
firefox34 | --- | unaffected |
firefox35 | --- | verified |
firefox-esr31 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
863 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 776fa9cf70cd (run with --no-threads --fuzzing-safe --baseline-eager): function TestCase( e, a) this.passed = getTestCaseResult(e, a); function reportCompare (actual) { new TestCase( '', actual); } function getTestCaseResult(expected, actual) function writeTestCaseResult( expect, actual ) {} var lfcode = new Array(); lfcode.push = loadFile; parseInt("4"); lfcode.push("\ new TestCase(true, eval(\"var OBJ = new MyObject(true); OBJ.valueOf()\") );\ function MyObject( value ) {}\ "); lfcode.push("var testcase = new TestCase(getTestCaseResult,'x');"); lfcode.push("\ var TIME_0000 = (function () {})();\ var TIME_NOW = now.valueOf();\ "); lfcode.push("\ addTestCase( TIME_NOW );\ addTestCase( TIME_0000 );\ function addTestCase( t ) {\ for ( m = 0; m <= 60; m+=10 )\ new TestCase( '', (new Date(t)).getSeconds() );\ }\ actual = (Date.prototype.test instanceof Date);\ reportCompare(actual);\ reportCompare(actual);\ reportCompare(actual);\ reportCompare(actual);\ reportCompare(actual);\ "); function loadFile(lfVarx) { try { evaluate(lfVarx); } catch (lfVare) {} }
Reporter | ||
Comment 1•10 years ago
|
||
Backtrace: *** glibc detected *** debug64/js/src/shell/js: free(): invalid pointer: 0x00007ffff6f89778 *** Program received signal SIGABRT, Aborted. 0x00007ffff6c07425 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #0 0x00007ffff6c07425 in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff6c0ab8b in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x00007ffff6c4539e in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #3 0x00007ffff6c4fb96 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #4 0x00000000009662fd in js_free (p=<optimized out>) at ../../dist/include/js/Utility.h:123 #5 maybeAnalyze (regenerate=<optimized out>, type=<optimized out>, cx=<optimized out>, this=<optimized out>, force=<optimized out>) at js/src/jsinfer.cpp:3932 #6 js::CreateThisForFunctionWithProto (cx=0x7fffffff9eb0, callee=..., proto=0x7ffff57490a0, newKind=26620448) at js/src/jsobj.cpp:1803 #7 0x0000000000966cc2 in js::CreateThisForFunction (cx=0x1963220, callee=..., newKind=js::MaybeSingletonObject) at js/src/jsobj.cpp:1840 Marking sec-critical due to invalid-free.
status-firefox35:
--- → affected
Keywords: csectype-wildptr,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a1b25f21fe08 user: Brian Hackett date: Tue Sep 02 13:47:34 2014 -0600 summary: Bug 1041688 - Add acquired properties analysis, r=jandem. This iteration took 394.411 seconds to run.
Reporter | ||
Comment 3•10 years ago
|
||
Needinfo from Brian, based on comment 2 :)
Flags: needinfo?(bhackett1024)
Assignee | ||
Comment 4•10 years ago
|
||
If the definite properties analysis cleared the new script from the type it was analyzing, the remainder of the new script properties analysis would blithely continue using that freed data.
Assignee: nobody → bhackett1024
Attachment #8485062 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Updated•10 years ago
|
Attachment #8485062 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/03a2332edcee
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/03a2332edcee
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 7•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 10•10 years ago
|
||
Why was this checked in without going through sec-approval? https://wiki.mozilla.org/Security/Bug_Approval_Process Does it only affect trunk? Dates would indicate Aurora, at least.
Updated•10 years ago
|
Flags: needinfo?(dveditz) → needinfo?(bhackett1024)
Assignee | ||
Comment 11•10 years ago
|
||
This is a regression from bug 1041688, and only affects trunk.
Flags: needinfo?(bhackett1024)
Updated•10 years ago
|
status-firefox34:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•