Closed
Bug 631948
Opened 13 years ago
Closed 13 years ago
Valgrind reports an invalid delete at startup in Firefox with the Firebug add-on enabled
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 530812
People
(Reporter: martybarbella, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13 Build Identifier: Mozilla Firefox 3.6.13 The following error is reported at startup when running Firefox with the Firebug add-on enabled in valgrind. No other add-ons were enabled, and it does not occur with Firebug disabled. ==24553== Invalid free() / delete / delete[] ==24553== at 0x4C26DCF: operator delete(void*) (vg_replace_malloc.c:387) ==24553== by 0x5C52EBA: jsdService::RemoveFilter(jsdIFilter*) (jsd_xpc.cpp:2878) ==24553== by 0x5E48424: NS_InvokeByIndex_P (xptcinvoke_x86_64_unix.cpp:208) ==24553== by 0x555A7BD: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (xpcwrappednative.cpp:2722) ==24553== by 0x5562DFC: XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) (xpcwrappednativejsops.cpp:1740) ==24553== by 0x67EB8E3: js_Invoke (jsinterp.cpp:1360) ==24553== by 0x67DD5E3: js_Interpret (jsops.cpp:2240) ==24553== by 0x67EBDD4: js_Invoke (jsinterp.cpp:1368) ==24553== by 0x67D3119: js_fun_apply (jsfun.cpp:2046) ==24553== by 0x67E341A: js_Interpret (jsops.cpp:2208) ==24553== by 0x67EBDD4: js_Invoke (jsinterp.cpp:1368) ==24553== by 0x67D3119: js_fun_apply (jsfun.cpp:2046) ==24553== Address 0x2208c480 is not stack'd, malloc'd or (recently) free'd Reproducible: Always Steps to Reproduce: 1. Enable the Firebug add-on in Firefox 2. Run Firefox with valgrind (e.g. firefox -d valgrind -g) and note the error Actual Results: Firefox attempts to delete an invalid pointer. Expected Results: Firefox probably shouldn't try to delete an invalid pointer. I didn't bother reporting this as a security bug since the user appears to have no control over the address in question. I have tested this on Ubuntu 10.04 64-bit with Firefox 3.6.13 and Firebug 1.6.1, as well as Ubuntu 10.10 32-bit with Firefox 3.6.13 and Firebug 1.6.1.
offhand, i can't see where we're doing thread locking for this list which is rather scary. we're also doing straight pointer comparisons on xpcom pointers which is probably a bad idea -- we might need to do a COM Compare. but the problem actually appears to be a mismatch between PR_NEWZAP(FilterRecord) and delete (FilterRecord*) filter. This was fixed for ff4.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Version: unspecified → 1.9.2 Branch
Assignee | ||
Updated•13 years ago
|
Component: JavaScript Debugging/Profiling APIs → JavaScript Engine
You need to log in
before you can comment on or make changes to this bug.
Description
•