Closed Bug 788364 Opened 9 years ago Closed 9 years ago

Invalid write of size 8 [@ js::SetIteratorObject::finalize]

Categories

(Core :: JavaScript Engine, defect)

x86_64
All
defect
Not set
critical

Tracking

()

VERIFIED DUPLICATE of bug 779025
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 --- fixed
firefox18 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: [sg:dupe 779025])

Attachments

(1 file)

Attached file Valgrind stack
x = new Set
x.add()
for (v of x) {
  y
}

shows the following error on 64-bit js opt shell on m-c changeset 7c75cd38626a :

==15342== Invalid write of size 8
==15342==    at 0x60C8FB: js::SetIteratorObject::finalize(js::FreeOp*, JSObject*) (MapObject.cpp:295)
==15342==    by 0x47C5B9: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) (jsobjinlines.h:235)
==15342==    by 0x4803E5: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::ArenaList&, js::gc::AllocKind, js::SliceBudget&) [clone .constprop.342] (jsgc.cpp:412)
==15342==    by 0x482E16: IncrementalCollectSlice(JSRuntime*, long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:1626)
==15342==    by 0x483BCC: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4392)
==15342==    by 0x484007: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) [clone .part.316] (jsgc.cpp:4500)
==15342==    by 0x4449C3: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:436)
==15342==    by 0x4097E4: DestroyContext(JSContext*, bool) (js.cpp:4594)
==15342==    by 0x4042BD: main (js.cpp:4957)

using the following command on Ubuntu Linux 12.04 with Valgrind SVN build r12957:

valgrind ./js testcase.js

s-s because this is an invalid write.
Could be related to bug 779025 but I guess jorendorff is the best person to ask here :)
Iterable sets initially landed in bug 725909. I'm just going to mark this sg-crit, as it seems sketchy.  Feel free to downgrade as appropriate.
Keywords: sec-critical
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   100489:76fba3ad58dd
user:        Jason Orendorff
date:        Wed Jul 04 10:24:25 2012 -0500
summary:     Bug 725909 - Make Maps and Sets iterable. r=luke.
Blocks: 725909
Keywords: regression
OS: Linux → All
Assignee: general → jorendorff
Gary, can you confirm that rev 278080ef7545 fixed this?
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 779025
I verify that the error shows up in the parent of rev 278080ef7545 , which is 3091da11f7ab, but not in 278080ef7545 itself.

-> VERIFIED
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Group: core-security
Whiteboard: [sg:dupe 779025]
This is already covered by a jit-test, in-testsuite-.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.