Closed Bug 1110359 Opened 10 years ago Closed 10 years ago

Invalid write of size 4 in clone() on browser shutdown

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
34 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mitchwharper, Unassigned)

Details

Attachments

(1 file)

Complaint and thread status
58.71 KB, text/plain
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141210200223

Steps to reproduce:

Was attempting to repro other bugs, browser started hanging so I killed Valgrind, and as it was closing I got this complaint. As it's on shutdown it might not be a big concern.

Ran 34.0.5 through `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` built with mozconfig

mk_add_options MOZ_MAKE_FLAGS="-j4"
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/ff-opt-g
ac_add_options --disable-tests
ac_add_options --enable-optimize="-g -Og"
ac_add_options --disable-jemalloc
ac_add_options --enable-valgrind
ac_add_options --enable-debug-symbols


Actual results:

Valgrind complaint (attached is a longer trace with thread status):

==13706== Thread 46 Shutdow~minator:
==13706== Invalid write of size 4
==13706==    at 0x99F6E3B: mozilla::(anonymous namespace)::Run(void*) (nsTerminator.cpp:101)
==13706==    by 0x646CE63: _pt_root (ptthread.c:212)
==13706==    by 0x4E3F181: start_thread (pthread_create.c:312)
==13706==    by 0x595E00C: clone (clone.S:111)
==13706==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==13706== 
==13706== Unsupported clone() flags: 0x800600
==13706== 
==13706== The only supported clone() uses are:
==13706==  - via a threads library (LinuxThreads or NPTL)
==13706==  - via the implementation of fork or vfork
==13706== 
==13706== Valgrind detected that your program requires
==13706== the following unimplemented functionality:
==13706==    Valgrind does not support general clone().
==13706== This may be because the functionality is hard to implement,
==13706== or because no reasonable program would behave this way,
==13706== or because nobody has yet needed it.  In any case, let us know at
==13706== www.valgrind.org and/or try to work around the problem, if you can.
==13706== 
==13706== Valgrind has to exit now.  Sorry.  Bye!
==13706==
Yoric, do you know more about what's going on here? It doesn't sound serious / sec-sensitive to me - more like a valgrind bug, but I'd prefer to be sure. :-)
Flags: needinfo?(dteller)
Well, this is a use of clone() by thread spawning, so this looks like a valgrind bug indeed.
I'm just surprised that it doesn't show up anywhere else in our code.

I don't think it's serious / sec-sensitive at all.
Flags: needinfo?(dteller)
Resolving. Please reopen if you have evidence something actually wrong is going on. :-)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
OK, I just saw the attempt to write to 0x0 inside the clone method and wanted to make sure there wasn't some sort of use-after-free going on.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: