gczeal(10); function g(f, z) { var a = []; for (var j = 0; j < z.length; ++j) for (var k = 0; k < z.length; ++k) a.push(f(z[j], z[k])); } try { g(); } catch (e) {} function m(x, y) { return (x > function() {}, y | Math.min(x, y) - y); } g(m, [, , Function(), String(), , , , /x/, , , , function() {}, , , , , , , , , , , , , , , ]); function n() { return 0; } g(n, [, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ]); causes a malloc error with js debug and opt ASan shell on m-c changeset 38c1ea9ccae3 with --fuzzing-safe --no-threads --baseline-eager --unboxed-arrays. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 38c1ea9ccae3 Opt ASan configure options: CC="/Users/skywalker/llvm/build/bin/clang -Qunused-arguments -fsanitize=address -Dxmalloc=myxmalloc" CXX="/Users/skywalker/llvm/build/bin/clang++ -Qunused-arguments -fsanitize=address -Dxmalloc=myxmalloc" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-address-sanitizer --disable-jemalloc --disable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--disable-debug --enable-more-deterministic --enable-nspr-build --build-with-asan" -r 38c1ea9ccae3 $ $tmd --fuzzing-safe --no-threads --baseline-eager --unboxed-arrays 639.js js-dbg-64-dm-nsprBuild-darwin-38c1ea9ccae3(38396,0x7fff78071300) malloc: *** error for object 0x10396dac0: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug Abort trap: 6 Setting needinfo? from Brian as this seems to involve --unboxed-arrays. It seems to have been happening since m-c rev 020c6a559e3a when --unboxed-arrays was introduced. Setting s-s because this was detected by ASan.

==38420==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x000106e6dac0 in thread T0 #0 0x102932048 in wrap_free (/Users/skywalker/llvm/build/lib/clang/3.6.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x2d048) #1 0x1012273e4 in unsigned long js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) (/Users/skywalker/shell-cache/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3+0x1012273e4) #2 0x1010bc85e in FinalizeArenas(js::FreeOp*, js::gc::ArenaHeader**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) (/Users/skywalker/shell-cache/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3+0x1010bc85e) #3 0x1010bbf23 in js::gc::ArenaLists::backgroundFinalize(js::FreeOp*, js::gc::ArenaHeader*, js::gc::ArenaHeader**) (/Users/skywalker/shell-cache/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3+0x1010bbf23) #4 0x1010c67e1 in js::gc::GCRuntime::sweepBackgroundThings(js::gc::ZoneList&, js::LifoAlloc&, js::ThreadType) (/Users/skywalker/shell-cache/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3/js-64-dm-asan-nsprBuild-darwin-38c1ea9ccae3+0x1010c67e1)

Cancelling excess needinfo.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

This was fixed by bug 1194627 --- if a normal array was removed from a PreliminaryObjectArray during GC sweeping then before finalization its group could be changed to an unboxed one without its representation changing. With unboxed plain objects this can lead to leaks, and with unboxed arrays this can lead to crashes, since unboxed arrays have a finalizer.

This only affected unboxed arrays, not s-s.