Last Comment Bug 777776 - Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]
: Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]
Status: VERIFIED FIXED
[js:p1:fx17][fuzzblocker][qa-]
: crash, regression, sec-critical, testcase, valgrind
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All Mac OS X
: -- critical (vote)
: ---
Assigned To: :Benjamin Peterson
: general
Mentors:
Depends on:
Blocks: jsfunfuzz savesource
  Show dependency treegraph
 
Reported: 2012-07-26 10:05 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2014-12-10 01:45 PST (History)
11 users (show)
benjamin: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
fixed
unaffected

Attachments
Valgrind stack (7.10 KB, text/plain)
2012-07-26 10:05 PDT, Gary Kwong [:gkw] [:nth10sd] 		no flags Details
add barrier to JSScript::scriptSource_ (11.87 KB, patch)
2012-07-27 10:59 PDT, :Benjamin Peterson 		terrence.d.cole: review+
Details | Diff | Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Gary Kwong [:gkw] [:nth10sd] 2012-07-26 10:05:57 PDT 
Created attachment 646190 [details]
Valgrind stack

gczeal(9, 2)
for (a = 0; a < 4; ++a) {
    b =
    evaluate("/x/g");
}

causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-07-26 11:07:09 PDT 
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   99950:e080642175e6
user:        Benjamin Peterson
date:        Fri Jul 20 20:17:38 2012 +0200
summary:     Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger

During reduction, this testcase has also been known to crash with malloc errors.
Comment 2 :Benjamin Peterson 2012-07-26 23:05:30 PDT 
I can't reproduce on Linux 64-bit.

Also, what does "crash with malloc errors" mean?
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-07-26 23:24:16 PDT 
(In reply to Benjamin Peterson from comment #2)
> I can't reproduce on Linux 64-bit.
> 
> Also, what does "crash with malloc errors" mean?

My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry?

Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message.

A similar error message can be found here: bug 736609 comment 0
Comment 4 :Benjamin Peterson 2012-07-27 00:06:06 PDT 
--enable-more-determinism seems to do the trick.
Comment 5 :Benjamin Peterson 2012-07-27 10:59:25 PDT 
Created attachment 646634 [details] [diff] [review]
add barrier to JSScript::scriptSource_
Comment 6 Gary Kwong [:gkw] [:nth10sd] 2012-07-27 11:19:58 PDT 
This bug throws up a lot of weird duplicate errors.
Comment 8 :Benjamin Peterson 2012-07-27 15:44:54 PDT 
And backedout for bustage: https://hg.mozilla.org/integration/mozilla-inbound/rev/c394a354eef7
Comment 10 :Benjamin Peterson 2012-07-27 19:43:49 PDT 
Backed out again: https://hg.mozilla.org/integration/mozilla-inbound/rev/a04448be734a
Comment 11 Gary Kwong [:gkw] [:nth10sd] 2012-07-27 21:51:20 PDT 
Try using the Try Server first:

https://wiki.mozilla.org/ReleaseEngineering/TryServer
Comment 13 :Benjamin Peterson 2012-07-29 15:44:06 PDT 
http://hg.mozilla.org/mozilla-central/rev/b6ac2095d264
Comment 14 Gary Kwong [:gkw] [:nth10sd] 2012-12-13 17:06:35 PST 
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Note You need to log in before you can comment on or make changes to this bug.