Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]

VERIFIED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
VERIFIED FIXED
Reported:
7 years ago
Modified:
4 years ago

People

(Reporter: gkw, Assigned: Benjamin)

Tracking

(Blocks: 1 bug, 5 keywords)

Version:
Trunk
Platform:
All
macOS
Keywords:
crash, regression, sec-critical, testcase, valgrind
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox16 unaffected, firefox17 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [js:p1:fx17][fuzzblocker][qa-])

Attachments

(2 attachments)

Valgrind stack
7.10 KB, text/plain
Details
add barrier to JSScript::scriptSource_
11.87 KB, patch
terrence
: review+
Details | Diff | Splinter Review
(Reporter)

Description

7 years ago 
Created attachment 646190 [details]
Valgrind stack

gczeal(9, 2)
for (a = 0; a < 4; ++a) {
    b =
    evaluate("/x/g");
}

causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.
(Reporter)

Comment 1

7 years ago 
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99950:e080642175e6
user:        Benjamin Peterson
date:        Fri Jul 20 20:17:38 2012 +0200
summary:     Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger

During reduction, this testcase has also been known to crash with malloc errors.
Blocks: 761723
Keywords: crash, regression
(Assignee)

Comment 2

7 years ago 
I can't reproduce on Linux 64-bit.

Also, what does "crash with malloc errors" mean?
(Reporter)

Comment 3

7 years ago 
(In reply to Benjamin Peterson from comment #2)
> I can't reproduce on Linux 64-bit.
> 
> Also, what does "crash with malloc errors" mean?

My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry?

Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message.

A similar error message can be found here: bug 736609 comment 0
(Assignee)

Comment 4

7 years ago 
--enable-more-determinism seems to do the trick.
Whiteboard: [js:p1:fx17]
 (Assignee)

Comment 5

7 years ago 
Created attachment 646634 [details] [diff] [review]
add barrier to JSScript::scriptSource_
Assignee: general → bpeterson
Attachment #646634 - Flags: review?(terrence)
 (Reporter)

Comment 6

7 years ago 
This bug throws up a lot of weird duplicate errors.
Whiteboard: [js:p1:fx17] → [js:p1:fx17][fuzzblocker]
Attachment #646634 - Flags: review?(terrence) → review+
 (Assignee)

Comment 13

7 years ago 
http://hg.mozilla.org/mozilla-central/rev/b6ac2095d264
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
status-firefox-esr10: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → fixed
Group: core-security
Keywords: sec-critical
Keywords: verifyme
Keywords: verifyme
Whiteboard: [js:p1:fx17][fuzzblocker] → [js:p1:fx17][fuzzblocker][qa-]
 (Reporter)

Comment 14

6 years ago 
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.