Closed Bug 1063180 Opened 10 years ago Closed 10 years ago

Crash with glibc-detected free on invalid pointer [@ maybeAnalyze]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla35
Tracking Status
firefox34 --- unaffected
firefox35 --- verified
firefox-esr31 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 776fa9cf70cd (run with --no-threads --fuzzing-safe --baseline-eager):


function TestCase( e, a)
  this.passed = getTestCaseResult(e, a);
function reportCompare (actual) {
  new TestCase( '', actual);
}
function getTestCaseResult(expected, actual)
function writeTestCaseResult( expect, actual ) {}
var lfcode = new Array();
lfcode.push = loadFile;
parseInt("4");
lfcode.push("\
new TestCase(true, eval(\"var OBJ = new MyObject(true); OBJ.valueOf()\") );\
function MyObject( value ) {}\
");
lfcode.push("var testcase =  new TestCase(getTestCaseResult,'x');");
lfcode.push("\
var TIME_0000  = (function () {})();\
var TIME_NOW = now.valueOf();\
");
lfcode.push("\
addTestCase( TIME_NOW );\
addTestCase( TIME_0000 );\
function addTestCase( t ) {\
  for ( m = 0; m <= 60; m+=10 )\
    new TestCase( '', (new Date(t)).getSeconds() );\
}\
actual = (Date.prototype.test instanceof Date);\
reportCompare(actual);\
reportCompare(actual);\
reportCompare(actual);\
reportCompare(actual);\
reportCompare(actual);\
");
function loadFile(lfVarx) {
    try {
        evaluate(lfVarx);
    } catch (lfVare) {}
}
Backtrace:

*** glibc detected *** debug64/js/src/shell/js: free(): invalid pointer: 0x00007ffff6f89778 ***

Program received signal SIGABRT, Aborted.
0x00007ffff6c07425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#0  0x00007ffff6c07425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6c0ab8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff6c4539e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff6c4fb96 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00000000009662fd in js_free (p=<optimized out>) at ../../dist/include/js/Utility.h:123
#5  maybeAnalyze (regenerate=<optimized out>, type=<optimized out>, cx=<optimized out>, this=<optimized out>, force=<optimized out>) at js/src/jsinfer.cpp:3932
#6  js::CreateThisForFunctionWithProto (cx=0x7fffffff9eb0, callee=..., proto=0x7ffff57490a0, newKind=26620448) at js/src/jsobj.cpp:1803
#7  0x0000000000966cc2 in js::CreateThisForFunction (cx=0x1963220, callee=..., newKind=js::MaybeSingletonObject) at js/src/jsobj.cpp:1840


Marking sec-critical due to invalid-free.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a1b25f21fe08
user:        Brian Hackett
date:        Tue Sep 02 13:47:34 2014 -0600
summary:     Bug 1041688 - Add acquired properties analysis, r=jandem.

This iteration took 394.411 seconds to run.
Needinfo from Brian, based on comment 2 :)
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
If the definite properties analysis cleared the new script from the type it was analyzing, the remainder of the new script properties analysis would blithely continue using that freed data.
Assignee: nobody → bhackett1024
Attachment #8485062 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Attachment #8485062 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/03a2332edcee
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Does this impact ESR?
Flags: needinfo?(dveditz)
Why was this checked in without going through sec-approval? 

https://wiki.mozilla.org/Security/Bug_Approval_Process

Does it only affect trunk?

Dates would indicate Aurora, at least.
Flags: needinfo?(dveditz) → needinfo?(bhackett1024)
This is a regression from bug 1041688, and only affects trunk.
Flags: needinfo?(bhackett1024)
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: