Closed Bug 299593 Opened 19 years ago Closed 19 years ago

Invalid read of size 4 in anyname_finalize

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta3

People

(Reporter: ajschult784, Assigned: brendan)

References

Details

(Keywords: js1.5, regression)

Attachments

(2 files, 2 obsolete files)

debug patch
1.01 KB, patch
Details | Diff | Splinter Review
the right fix
6.83 KB, patch
bzbarsky
: review+
shaver
: superreview+
brendan
: approval1.8b3+
Details | Diff | Splinter Review 
At startup valgrind sees the folowing in suite trunk:

Invalid read of size 4
 anyname_finalize (jsxml.c:406)
 js_FinalizeObject (jsobj.c:2044)
 js_GC (jsgc.c:1831)
 js_ForceGC (jsgc.c:1502)
 js_DestroyContext (jscntxt.c:284)
 JS_DestroyContext (jsapi.c:945)
 XPCJSContextStack::SetSafeJSContext(JSContext*) (xpcthreadcontext.cpp:188)
 nsXPCThreadJSContextStackImpl::SetSafeJSContext(JSContext*)
(xpcthreadcontext.cpp:344)
 nsAppShellService::SetXPConnectSafeContext() (nsAppShellService.cpp:121)
 nsAppShellService::CreateHiddenWindow(nsIAppShell*) (nsAppShellService.cpp:195)
 nsAppStartup::CreateHiddenWindow() (nsAppStartup.cpp:152)
 main1(int, char**, nsISupports*) (nsAppRunner.cpp:1175)
Address 0x34705C70 is 8 bytes inside a block of size 24 free'd
 free (vg_replace_malloc.c:152)
 js_free_atom (jsatom.c:252)
 JS_HashTableRawRemove (jshash.c:280)
 JS_HashTableEnumerateEntries (jshash.c:382)
 js_SweepAtomState (jsatom.c:493)
 js_GC (jsgc.c:1804)
 js_ForceGC (jsgc.c:1502)
 js_DestroyContext (jscntxt.c:284)
 JS_DestroyContext (jsapi.c:945)
 XPCJSContextStack::SetSafeJSContext(JSContext*) (xpcthreadcontext.cpp:188)
 nsXPCThreadJSContextStackImpl::SetSafeJSContext(JSContext*)
(xpcthreadcontext.cpp:344)
 nsAppShellService::SetXPConnectSafeContext() (nsAppShellService.cpp:121)

the error is occuring in code from the last attachment of bug 294893.  valgrind
does not complain with builds from 6/30 or before.  The actual piece of memory
it's not happy about is 

ATOM_KEY(rt->atomState.lazy.anynameAtom)
Attached patch attempt at fix (obsolete) — Splinter Review 
Is the suite using some kind of turbo, or shutdown-all-JSContexts mode?  Or
maybe this is just finalization order differing between Firefox and the suite? 
Anyway, if this patch works, please comment and I'll check it in.

/be
Attached patch debug patchSplinter Review 
> Is the suite using some kind of turbo, or shutdown-all-JSContexts mode?  Or
> maybe this is just finalization order differing between Firefox and the
suite?

I tested firefox and it has the same problem.  Also, this is at startup rather
than shutdown.

> Anyway, if this patch works, please comment and I'll check it in.

That won't help because anynameAtom isn't NULL.  The problem is that
|anynameAtom->entry| was already freed.  Apply the attached patch.  At startup
it will say "oops".
Attached patch fix (obsolete) — Splinter Review 
Double-review so bz can join the club, and to share the love.

rt->atomState.lazy.* must be strong refs to lazily *pinned* atoms (there's no
such thing as an engine-supported weak ref to an atom, really).  But for
anyname and functionNamespace, we don't need or want atoms as middlemen -- we
just want weak, lazily-set refs from the runtime to these two objects.

/be
Attachment #188165 - Attachment is obsolete: true
Attachment #188386 - Flags: superreview?(shaver)
Attachment #188386 - Flags: review?(bzbarsky)
Attachment #188386 - Flags: approval1.8b3+
Status: NEW → ASSIGNED
Flags: blocking1.8b3+
Keywords: js1.5
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta3
Comment on attachment 188386 [details] [diff] [review]
fix

> JSBool
> js_GetFunctionNamespace(JSContext *cx, jsval *vp)
> {
>     JSRuntime *rt;
>+    JSObject *obj;
>     JSAtom *atom;
>     JSString *prefix, *uri;
>-    JSObject *obj;
> 
>     /* An invalid URI, for internal use only, guaranteed not to collide. */
>     static const char anti_uri[] = "@mozilla.org/js/function";
> 
>     rt = cx->runtime;
>-    atom = rt->atomState.lazy.functionNamespaceAtom;
>-    if (!atom) {
>+    obj = rt->functionNamespaceObject;
>+    if (!obj) {
>         atom = js_Atomize(cx, js_function_str, 8, 0);
>         JS_ASSERT(atom);
>         prefix = ATOM_TO_STRING(atom);
> 
>         atom = js_Atomize(cx, anti_uri, sizeof anti_uri - 1, ATOM_PINNED);
>         if (!atom)
>             return JS_FALSE;
>         rt->atomState.lazy.functionNamespaceURIAtom = atom;
> 
>         uri = ATOM_TO_STRING(atom);
>         obj = js_NewXMLNamespaceObject(cx, prefix, uri, JS_FALSE);
>         if (!obj)
>             return JS_FALSE;
> 
>-        atom = js_AtomizeObject(cx, obj, 0);
>-        if (!atom)
>-            return JS_FALSE;
>-        rt->atomState.lazy.functionNamespaceAtom = atom;
>+        rt->functionNamespaceObject = obj;
>     }
>     *vp = ATOM_KEY(atom);
>     return JS_TRUE;
> }

On the second run through, when |obj| is non-null, it looks like we'll use an
uninitialized |atom| to fill |*vp|.
Attachment #188386 - Flags: superreview?(shaver)
Attachment #188386 - Flags: superreview-
Attachment #188386 - Flags: review?(bzbarsky)
Comment on attachment 188386 [details] [diff] [review]
fix

Wrong patch, forgot to rediff after fixing.

/be
Attachment #188386 - Attachment is obsolete: true
Attachment #188386 - Flags: approval1.8b3+
Attached patch the right fixSplinter Review 
Pre-approving, ever the optimist ;-).  Actually, I'd already tested this with
the e4x suite and by hand (e4x suite doesn't use
<xml/>.function::toXMLString(), e.g.) and all was well.  Just didn't update the
uploaded diff.

/be
Attachment #188390 - Flags: superreview?(shaver)
Attachment #188390 - Flags: review?(bzbarsky)
Attachment #188390 - Flags: approval1.8b3+
Comment on attachment 188390 [details] [diff] [review]
the right fix

r=shaver.
Attachment #188390 - Flags: superreview?(shaver) → superreview+
Comment on attachment 188390 [details] [diff] [review]
the right fix

Ah, this is much happier!
Attachment #188390 - Flags: review?(bzbarsky) → review+
Fixed.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: