Closed Bug 788364 Opened 12 years ago Closed 12 years ago

Invalid write of size 8 [@ js::SetIteratorObject::finalize]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 779025
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 --- fixed
firefox18 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: gkw, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: [sg:dupe 779025])

Attachments

(1 file)

Valgrind stack
2.86 KB, text/plain
Details
Attached file Valgrind stack
x = new Set x.add() for (v of x) { y } shows the following error on 64-bit js opt shell on m-c changeset 7c75cd38626a : ==15342== Invalid write of size 8 ==15342== at 0x60C8FB: js::SetIteratorObject::finalize(js::FreeOp*, JSObject*) (MapObject.cpp:295) ==15342== by 0x47C5B9: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) (jsobjinlines.h:235) ==15342== by 0x4803E5: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::ArenaList&, js::gc::AllocKind, js::SliceBudget&) [clone .constprop.342] (jsgc.cpp:412) ==15342== by 0x482E16: IncrementalCollectSlice(JSRuntime*, long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:1626) ==15342== by 0x483BCC: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4392) ==15342== by 0x484007: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) [clone .part.316] (jsgc.cpp:4500) ==15342== by 0x4449C3: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:436) ==15342== by 0x4097E4: DestroyContext(JSContext*, bool) (js.cpp:4594) ==15342== by 0x4042BD: main (js.cpp:4957) using the following command on Ubuntu Linux 12.04 with Valgrind SVN build r12957: valgrind ./js testcase.js s-s because this is an invalid write.
Could be related to bug 779025 but I guess jorendorff is the best person to ask here :)
Iterable sets initially landed in bug 725909. I'm just going to mark this sg-crit, as it seems sketchy. Feel free to downgrade as appropriate.
Keywords: sec-critical
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 100489:76fba3ad58dd user: Jason Orendorff date: Wed Jul 04 10:24:25 2012 -0500 summary: Bug 725909 - Make Maps and Sets iterable. r=luke.
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
Blocks: 725909
Keywords: regression
OS: Linux → All
Assignee: general → jorendorff
Gary, can you confirm that rev 278080ef7545 fixed this?
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
I verify that the error shows up in the parent of rev 278080ef7545 , which is 3091da11f7ab, but not in 278080ef7545 itself. -> VERIFIED
Status: RESOLVED → VERIFIED
status-firefox18: affectedfixed
Flags: in-testsuite?
Group: core-security
status-firefox17: affectedfixed
Whiteboard: [sg:dupe 779025]
This is already covered by a jit-test, in-testsuite-.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: