Closed Bug 631948 Opened 13 years ago Closed 13 years ago

Valgrind reports an invalid delete at startup in Firefox with the Firebug add-on enabled

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 530812

People

(Reporter: martybarbella, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
Build Identifier: Mozilla Firefox 3.6.13

The following error is reported at startup when running Firefox with the Firebug add-on enabled in valgrind. No other add-ons were enabled, and it does not occur with Firebug disabled.

==24553== Invalid free() / delete / delete[]
==24553==    at 0x4C26DCF: operator delete(void*) (vg_replace_malloc.c:387)
==24553==    by 0x5C52EBA: jsdService::RemoveFilter(jsdIFilter*) (jsd_xpc.cpp:2878)
==24553==    by 0x5E48424: NS_InvokeByIndex_P (xptcinvoke_x86_64_unix.cpp:208)
==24553==    by 0x555A7BD: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (xpcwrappednative.cpp:2722)
==24553==    by 0x5562DFC: XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) (xpcwrappednativejsops.cpp:1740)
==24553==    by 0x67EB8E3: js_Invoke (jsinterp.cpp:1360)
==24553==    by 0x67DD5E3: js_Interpret (jsops.cpp:2240)
==24553==    by 0x67EBDD4: js_Invoke (jsinterp.cpp:1368)
==24553==    by 0x67D3119: js_fun_apply (jsfun.cpp:2046)
==24553==    by 0x67E341A: js_Interpret (jsops.cpp:2208)
==24553==    by 0x67EBDD4: js_Invoke (jsinterp.cpp:1368)
==24553==    by 0x67D3119: js_fun_apply (jsfun.cpp:2046)
==24553==  Address 0x2208c480 is not stack'd, malloc'd or (recently) free'd


Reproducible: Always

Steps to Reproduce:
1. Enable the Firebug add-on in Firefox
2. Run Firefox with valgrind (e.g. firefox -d valgrind -g) and note the error
Actual Results:  
Firefox attempts to delete an invalid pointer.

Expected Results:  
Firefox probably shouldn't try to delete an invalid pointer.

I didn't bother reporting this as a security bug since the user appears to have no control over the address in question. I have tested this on Ubuntu 10.04 64-bit with Firefox 3.6.13 and Firebug 1.6.1, as well as Ubuntu 10.10 32-bit with Firefox 3.6.13 and Firebug 1.6.1.
offhand, i can't see where we're doing thread locking for this list which is rather scary.

we're also doing straight pointer comparisons on xpcom pointers which is probably a bad idea -- we might need to do a COM Compare.

but the problem actually appears to be a mismatch between PR_NEWZAP(FilterRecord) and delete (FilterRecord*) filter. This was fixed for ff4.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Version: unspecified → 1.9.2 Branch
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in before you can comment on or make changes to this bug.