The default bug view has changed. See this FAQ.

Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
2 years ago

People

(Reporter: gkw, Assigned: Benjamin)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
All
Mac OS X
crash, regression, sec-critical, testcase, valgrind
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox16 unaffected, firefox17 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [js:p1:fx17][fuzzblocker][qa-])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 646190 [details]
Valgrind stack

gczeal(9, 2)
for (a = 0; a < 4; ++a) {
    b =
    evaluate("/x/g");
}

causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99950:e080642175e6
user:        Benjamin Peterson
date:        Fri Jul 20 20:17:38 2012 +0200
summary:     Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger

During reduction, this testcase has also been known to crash with malloc errors.
Blocks: 761723
Keywords: crash, regression
(Assignee)

Comment 2

5 years ago
I can't reproduce on Linux 64-bit.

Also, what does "crash with malloc errors" mean?
(Reporter)

Comment 3

5 years ago
(In reply to Benjamin Peterson from comment #2)
> I can't reproduce on Linux 64-bit.
> 
> Also, what does "crash with malloc errors" mean?

My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry?

Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message.

A similar error message can be found here: bug 736609 comment 0
(Assignee)

Comment 4

5 years ago
--enable-more-determinism seems to do the trick.
Whiteboard: [js:p1:fx17]
(Assignee)

Comment 5

5 years ago
Created attachment 646634 [details] [diff] [review]
add barrier to JSScript::scriptSource_
Assignee: general → bpeterson
Attachment #646634 - Flags: review?(terrence)
(Reporter)

Comment 6

5 years ago
This bug throws up a lot of weird duplicate errors.
Whiteboard: [js:p1:fx17] → [js:p1:fx17][fuzzblocker]
Attachment #646634 - Flags: review?(terrence) → review+
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b69f5004fde8
(Assignee)

Comment 8

5 years ago
And backedout for bustage: https://hg.mozilla.org/integration/mozilla-inbound/rev/c394a354eef7
(Assignee)

Comment 9

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4cdd23569371
(Assignee)

Comment 10

5 years ago
Backed out again: https://hg.mozilla.org/integration/mozilla-inbound/rev/a04448be734a
(Reporter)

Comment 11

5 years ago
Try using the Try Server first:

https://wiki.mozilla.org/ReleaseEngineering/TryServer
(Assignee)

Comment 12

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b6ac2095d264
(Assignee)

Comment 13

5 years ago
http://hg.mozilla.org/mozilla-central/rev/b6ac2095d264
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
status-firefox-esr10: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → fixed
Group: core-security
Keywords: sec-critical
Keywords: verifyme
Keywords: verifyme
Whiteboard: [js:p1:fx17][fuzzblocker] → [js:p1:fx17][fuzzblocker][qa-]
(Reporter)

Comment 14

4 years ago
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.