Closed
Bug 777776
Opened 10 years ago
Closed 10 years ago
Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox16 | --- | unaffected |
| firefox17 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: Benjamin)
References
Details
(5 keywords, Whiteboard: [js:p1:fx17][fuzzblocker][qa-])
Attachments
(2 files)
|
7.10 KB,
text/plain
|
Details | |
|
11.87 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
gczeal(9, 2)
for (a = 0; a < 4; ++a) {
b =
evaluate("/x/g");
}
causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.
|
Reporter | |
Comment 1•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 99950:e080642175e6 user: Benjamin Peterson date: Fri Jul 20 20:17:38 2012 +0200 summary: Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger During reduction, this testcase has also been known to crash with malloc errors.
Blocks: savesource
Keywords: crash,
regression
|
Assignee | |
Comment 2•10 years ago
|
||
I can't reproduce on Linux 64-bit. Also, what does "crash with malloc errors" mean?
|
|
Reporter | |
Comment 3•10 years ago
|
||
(In reply to Benjamin Peterson from comment #2) > I can't reproduce on Linux 64-bit. > > Also, what does "crash with malloc errors" mean? My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry? Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message. A similar error message can be found here: bug 736609 comment 0
|
|
Assignee | |
Comment 4•10 years ago
|
||
--enable-more-determinism seems to do the trick.
|
||
Updated•10 years ago
|
Whiteboard: [js:p1:fx17]
|
|
Assignee | |
Comment 5•10 years ago
|
||
Assignee: general → bpeterson
Attachment #646634 -
Flags: review?(terrence)
|
|
Reporter | |
Comment 6•10 years ago
|
||
This bug throws up a lot of weird duplicate errors.
Whiteboard: [js:p1:fx17] → [js:p1:fx17][fuzzblocker]
|
||
Updated•10 years ago
|
Attachment #646634 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b69f5004fde8
|
|
Assignee | |
Comment 8•10 years ago
|
||
And backedout for bustage: https://hg.mozilla.org/integration/mozilla-inbound/rev/c394a354eef7
|
|
Assignee | |
Comment 9•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4cdd23569371
|
|
Assignee | |
Comment 10•10 years ago
|
||
Backed out again: https://hg.mozilla.org/integration/mozilla-inbound/rev/a04448be734a
|
|
Reporter | |
Comment 11•10 years ago
|
||
Try using the Try Server first: https://wiki.mozilla.org/ReleaseEngineering/TryServer
|
|
Assignee | |
Comment 12•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b6ac2095d264
|
|
Assignee | |
Comment 13•10 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/b6ac2095d264
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → fixed
|
|
||
Updated•10 years ago
|
Group: core-security
|
|
||
Updated•10 years ago
|
Keywords: sec-critical
Keywords: verifyme
Whiteboard: [js:p1:fx17][fuzzblocker] → [js:p1:fx17][fuzzblocker][qa-]
|
|
Reporter | |
Comment 14•10 years ago
|
||
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•