Closed Bug 777776 Opened 10 years ago Closed 10 years ago

Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]

Categories

(Core :: JavaScript Engine, defect)

All
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox16 --- unaffected
firefox17 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: Benjamin)

References

Details

(5 keywords, Whiteboard: [js:p1:fx17][fuzzblocker][qa-])

Attachments

(2 files)

Attached file Valgrind stack
gczeal(9, 2)
for (a = 0; a < 4; ++a) {
    b =
    evaluate("/x/g");
}

causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99950:e080642175e6
user:        Benjamin Peterson
date:        Fri Jul 20 20:17:38 2012 +0200
summary:     Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger

During reduction, this testcase has also been known to crash with malloc errors.
Blocks: savesource
Keywords: crash, regression
I can't reproduce on Linux 64-bit.

Also, what does "crash with malloc errors" mean?
(In reply to Benjamin Peterson from comment #2)
> I can't reproduce on Linux 64-bit.
> 
> Also, what does "crash with malloc errors" mean?

My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry?

Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message.

A similar error message can be found here: bug 736609 comment 0
--enable-more-determinism seems to do the trick.
Whiteboard: [js:p1:fx17]
Assignee: general → bpeterson
Attachment #646634 - Flags: review?(terrence)
This bug throws up a lot of weird duplicate errors.
Whiteboard: [js:p1:fx17] → [js:p1:fx17][fuzzblocker]
Attachment #646634 - Flags: review?(terrence) → review+
http://hg.mozilla.org/mozilla-central/rev/b6ac2095d264
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Group: core-security
Keywords: verifyme
Keywords: verifyme
Whiteboard: [js:p1:fx17][fuzzblocker] → [js:p1:fx17][fuzzblocker][qa-]
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.