Closed
Bug 1140655
Opened 10 years ago
Closed 10 years ago
Intermittent lookupswitch.js | js(44932,0x101f0a000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated (code -6, args "--no-baseline --no-ion")
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1140773
People
(Reporter: KWierso, Unassigned)
References
Details
(Keywords: csectype-uaf, intermittent-failure, sec-high)
14:56:26 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/loop-test-fold.js | Success (code 0, args "--baseline-eager")
14:56:26 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/loop-test-fold.js | Success (code 0, args "--baseline-eager --no-fpu")
14:56:26 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/loop-test-fold.js | Success (code 0, args "--no-baseline --no-ion")
14:56:27 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/lsra-bug1112164.js | Success (code 0, args "")
14:56:29 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/lsra-bug1112164.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off")
14:56:30 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/lsra-bug1112164.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --no-sse3 --no-threads")
14:56:31 INFO - js(44932,0x101f0a000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated
14:56:31 INFO - *** set a breakpoint in malloc_error_break to debug
14:56:31 INFO - Exit code: -6
14:56:31 INFO - FAIL - ion/lookupswitch.js
14:56:31 WARNING - TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/ion/lookupswitch.js | js(44932,0x101f0a000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated (code -6, args "--no-baseline --no-ion")
14:56:31 INFO - INFO exit-status : -6
14:56:31 INFO - INFO timed-out : False
14:56:31 INFO - INFO stderr 2> js(44932,0x101f0a000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated
14:56:31 INFO - INFO stderr 2> *** set a breakpoint in malloc_error_break to debug
14:56:31 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/lsra-bug1112164.js | Success (code 0, args "--baseline-eager")
14:56:32 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/lsra-bug1112164.js | Success (code 0, args "--baseline-eager --no-fpu")
14:56:32 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/math-imul-folding.js | Success (code 0, args "")
14:56:32 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/math-imul-folding.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off")
14:56:33 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/math-imul-folding.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --no-sse3 --no-threads")
14:56:33 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/math-imul-folding.js | Success (code 0, args "--baseline-eager")
14:56:33 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/math-imul-folding.js | Success (code 0, args "--baseline-eager --no-fpu")
14:56:33 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/math-imul-folding.js | Success (code 0, args "--no-baseline --no-ion")
14:56:33 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/mathFloor.js | Success (code 0, args "")
14:56:33 INFO - TEST-PASS | tests/jit-test/jit-test/tests/ion/mathFloor.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off")
| Comment hidden (Legacy TBPL/Treeherder Robot) |
|
||
Comment 3•10 years ago
|
||
This looks a lot like bug 1139792. I thought that one was a JIT issue, because it failed with --ion-eager, but this one crashed with --no-baseline --no-ion:
14:56:31 WARNING - TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/ion/lookupswitch.js | js(44932,0x101f0a000) malloc: *** error for object 0x5a5a5a5a5a5a5a5a: pointer being freed was not allocated (code -6, args "--no-baseline --no-ion")
Terrence, can you think of any recent GC/allocation-ish changes that could have caused this?
Component: JavaScript Engine: JIT → JavaScript Engine
Flags: needinfo?(terrence)
|
|
||
Comment 4•10 years ago
|
||
Btw this bug and bug 1139792 were both on OS X 10.6.
I had no luck reproducing bug 1139792 on 10.10 after running that test 5000 times, but maybe we can try on a 10.6 slave...
|
||
Comment 5•10 years ago
|
||
Nothing jumps out at me. It doesn't immediately look like a compacting issue because it is a malloc pointer. A double-free or memory corruption in the COW array logic would be likely to bite us more more frequently and not just on 10.6. Moreover, the tests don't appear to share much other than array_push, and that code appears to be doing the right thing. If we could get a C++ stack, maybe it would be clearer. Perhaps it's time to invest in that infrastructure?
Flags: needinfo?(terrence)
|
||
Comment 6•10 years ago
|
||
|
||
Updated•10 years ago
|
Keywords: csectype-uaf,
sec-high
|
||
Comment 7•10 years ago
|
||
|
|
||
Comment 8•10 years ago
|
||
|
||
Comment 9•10 years ago
|
||
cc'd Mason, who backed himself out over this failure.
|
||
Comment 11•10 years ago
|
||
|
|
||
Comment 12•10 years ago
|
||
|
|
||
Comment 13•10 years ago
|
||
|
|
||
Comment 15•10 years ago
|
||
This is likely a duplicate of bug 1140773, which was fixed yesterday.
The symptoms are very similar, a GC race condition could explain why this crashed intermittently and only on 10.6 and it started happening a few days after bug 1122640 landed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•