Invalid write of size 8 [@ js::SetIteratorObject::finalize]

VERIFIED DUPLICATE of bug 779025

Status

()

Core
JavaScript Engine
--
critical
VERIFIED DUPLICATE of bug 779025
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86_64
All
regression, sec-critical, testcase, valgrind
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox15 unaffected, firefox16 unaffected, firefox17 fixed, firefox18 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:dupe 779025])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 658316 [details]
Valgrind stack

x = new Set
x.add()
for (v of x) {
  y
}

shows the following error on 64-bit js opt shell on m-c changeset 7c75cd38626a :

==15342== Invalid write of size 8
==15342==    at 0x60C8FB: js::SetIteratorObject::finalize(js::FreeOp*, JSObject*) (MapObject.cpp:295)
==15342==    by 0x47C5B9: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) (jsobjinlines.h:235)
==15342==    by 0x4803E5: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::ArenaList&, js::gc::AllocKind, js::SliceBudget&) [clone .constprop.342] (jsgc.cpp:412)
==15342==    by 0x482E16: IncrementalCollectSlice(JSRuntime*, long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:1626)
==15342==    by 0x483BCC: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4392)
==15342==    by 0x484007: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) [clone .part.316] (jsgc.cpp:4500)
==15342==    by 0x4449C3: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:436)
==15342==    by 0x4097E4: DestroyContext(JSContext*, bool) (js.cpp:4594)
==15342==    by 0x4042BD: main (js.cpp:4957)

using the following command on Ubuntu Linux 12.04 with Valgrind SVN build r12957:

valgrind ./js testcase.js

s-s because this is an invalid write.
Could be related to bug 779025 but I guess jorendorff is the best person to ask here :)
Iterable sets initially landed in bug 725909. I'm just going to mark this sg-crit, as it seems sketchy.  Feel free to downgrade as appropriate.
Keywords: sec-critical
(Reporter)

Comment 3

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   100489:76fba3ad58dd
user:        Jason Orendorff
date:        Wed Jul 04 10:24:25 2012 -0500
summary:     Bug 725909 - Make Maps and Sets iterable. r=luke.
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
(Reporter)

Updated

5 years ago
Blocks: 725909
Keywords: regression
OS: Linux → All
status-firefox16: affected → unaffected
(Assignee)

Updated

5 years ago
Assignee: general → jorendorff
(Assignee)

Comment 4

5 years ago
Gary, can you confirm that rev 278080ef7545 fixed this?
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 779025
(Reporter)

Comment 5

5 years ago
I verify that the error shows up in the parent of rev 278080ef7545 , which is 3091da11f7ab, but not in 278080ef7545 itself.

-> VERIFIED
Status: RESOLVED → VERIFIED
status-firefox18: affected → fixed
Flags: in-testsuite?
Group: core-security
status-firefox17: affected → fixed
Whiteboard: [sg:dupe 779025]
This is already covered by a jit-test, in-testsuite-.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.