incorrect munmap in mozglue/linker/Mappable.cpp?

RESOLVED INVALID

Status

()

Core
mozglue
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: spam_hole, Unassigned)

Tracking

Trunk
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

See http://hg.mozilla.org/mozilla-central/file/eb201b1e55fd/mozglue/linker/Mappable.cpp#l251. To me this looks like a bug: the munmap call will unmap a region of memory based off 'this' (which could in fact be very, very far away from 'this' because the pointer arithmetic is based on _MappableBuffer-sized chunks), instead of from 'buf' (which was the original allocation).


Actual results:

The result is likely to be nothing in the majority of cases, or a random difficult-to-pin-down crash when some other component finds a small page-sized hole in its memory. The latter is what triggered an investigation using ptrace, which found the random munmap call to be the culprit.


Expected results:

'this' should be changed to 'buf'.

Updated

5 years ago
Component: General → mozglue
Product: Firefox for Android → Core
Version: Firefox 14 → Trunk
_MappableBuffer inherits from MappedPtr, which has an operator + doing the right thing. Kind of ugly, but this code will eventually go away with bug 725231
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

5 years ago
Odd. I was definitely seeing an invalid ("wild") non-aligned `munmap` call in ptrace coming from Mozilla. Maybe it was something else. Maybe it'll go away when that code is removed; otherwise I'll do some more digging and submit a new bug.
You need to log in before you can comment on or make changes to this bug.