739694 - Crash [@ malloc_consolidate] through [@ js_realloc]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test crashes on mozilla-central revision c3cb87871829 (options -m -n):


function newFunc(x) { new Function(x)(); }; try { newFunc("\
var g = newGlobal('new-compartment');\
g.h = function () {\
    names = foo.blaaaaaaaaaaaaah().environment.names();\
};\
g.eval('var obj = {a: 1};' + \"with ({a: 1, '0xcafe': 2, ' ': 3, '': 4, '0': 5}) h();\");\
");
} catch(exc1) {}
function newFunc(x) { new Function(x)(); }; newFunc("\
gczeal(2);\
  a=b=c=d=0; this.__defineGetter__('g', gc); for each (y in this);\
");


Valgrind shows:

==13325== Invalid write of size 1
==13325==    at 0x81D39C4: js::MarkScriptFilename(char const*) (jsscript.cpp:885)
==13325==    by 0x80DCDA0: exn_trace(JSTracer*, JSObject*) (jsexn.cpp:466)
==13325==    by 0x810C5A9: js::GCMarker::processMarkStackTop(js::SliceBudget&) (jsgcmark.cpp:1076)
==13325==    by 0x810C727: js::GCMarker::drainMarkStack(js::SliceBudget&) (jsgcmark.cpp:1119)
==13325==    by 0x80F5EBC: MarkAndSweep(JSContext*, js::JSGCInvocationKind) (jsgc.cpp:3299)
==13325==    by 0x80F6E04: GCCycle(JSContext*, JSCompartment*, long long, js::JSGCInvocationKind) (jsgc.cpp:3656)
==13325==    by 0x80F7166: Collect(JSContext*, JSCompartment*, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3749)
==13325==    by 0x80F72F8: js::GC(JSContext*, JSCompartment*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3770)
==13325==    by 0x80F1FD8: js::gc::RunLastDitchGC(JSContext*, js::gcreason::Reason) (jsgc.cpp:1700)
==13325==    by 0x80F7E30: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:3993)
==13325==    by 0x80A3168: JSObject* js::gc::NewGCThing<JSObject>(JSContext*, js::gc::AllocKind, unsigned int) (jsgcinlines.h:415)
==13325==    by 0x8094551: js_NewGCObject(JSContext*, js::gc::AllocKind) (jsgcinlines.h:461)
==13325==  Address 0x6bd5a90 is 0 bytes inside a block of size 8 free'd
==13325==    at 0x48D8C02: free (vg_replace_malloc.c:366)
==13325==    by 0x804A950: js_free (Utility.h:190)
==13325==    by 0x804A967: js::Foreground::free_(void*) (Utility.h:604)
==13325==    by 0x81D3ACE: js::FreeScriptFilenames(JSCompartment*) (jsscript.cpp:908)
==13325==    by 0x80C07AB: JSCompartment::~JSCompartment() (jscompartment.cpp:105)
==13325==    by 0x80FB872: void JSContext::delete_<JSCompartment>(JSCompartment*) (in /srv/repos/mozilla-central/js/src/debug32/shell/js)
==13325==    by 0x80F49C6: SweepCompartments(JSContext*, js::JSGCInvocationKind) (jsgc.cpp:2932)
==13325==    by 0x80F5B75: SweepPhase(JSContext*, js::JSGCInvocationKind) (jsgc.cpp:3262)
==13325==    by 0x80F5EE4: MarkAndSweep(JSContext*, js::JSGCInvocationKind) (jsgc.cpp:3302)
==13325==    by 0x80F6E04: GCCycle(JSContext*, JSCompartment*, long long, js::JSGCInvocationKind) (jsgc.cpp:3656)
==13325==    by 0x80F7166: Collect(JSContext*, JSCompartment*, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3749)
==13325==    by 0x80F72F8: js::GC(JSContext*, JSCompartment*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3770)


while in GDB it just crashes:

(gdb) bt 8
#0  malloc_consolidate (av=0xf7e803c0) at malloc.c:5155
#1  0xf7d934a5 in _int_malloc (av=0xf7e803c0, bytes=513) at malloc.c:4373
#2  0xf7d94ae1 in _int_realloc (av=<value optimized out>, oldp=0x85b2440, oldsize=264, nb=520) at malloc.c:5290
#3  0xf7d960e3 in __libc_realloc (oldmem=0x85b2448, bytes=512) at malloc.c:3821
#4  0x08091e7d in js_realloc (p=0x85b2448, bytes=512) at ./dist/include/js/Utility.h:185
#5  0x08093850 in JSRuntime::realloc_ (this=0x857fb28, p=0x85b2448, oldBytes=256, newBytes=512, cx=0x85a3d38) at /srv/repos/mozilla-central/js/src/jscntxt.h:625
#6  0x080938bb in JSContext::realloc_ (this=0x85a3d38, p=0x85b2448, oldBytes=256, newBytes=512) at /srv/repos/mozilla-central/js/src/jscntxt.h:1102
#7  0x081717a6 in JSObject::growSlots (this=0xf751cc40, cx=0x85a3d38, oldCount=32, newCount=64) at /srv/repos/mozilla-central/js/src/jsobj.cpp:3931
(More stack frames follow...)


I suspect this could be a duplicate of the recently filed bug 739615 but I'm not entirely sure, s-s and sg:critical until confirmed to be a duplicate.

Comment 2

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: patch

This is a regression from bug 735544. We were using a filename from one compartment in an exception from another compartment. The patch just copies the filename into the exception's compartment.

Comment 3

[Luke Wagner [:luke]]

Comment on attachment 609806 [details] [diff] [review]
patch

Review of attachment 609806 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks

::: js/src/jsexn.cpp
@@ +373,5 @@
>                  frame.funName = NULL;
>                  frame.argc = 0;
>              }
>              if (fp->isScriptFrame()) {
> +                frame.filename = SaveScriptFilename(cx, fp->script()->filename);

null-return check

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Another smaller testcase, fixed by the patch in comment 3:

try {
    ({
        f: evalcx("evalcx(\"e\",newGlobal('new-compartment'))",
                  newGlobal('new-compartment'))
    })
} catch (e) {}
gc()
gc()

crashes js 64-bit debug shell in Linux.

Comment 5

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/967263f4d020

Comment 6

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/967263f4d020

Comment 7

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.