Closed
Bug 1799250
Opened 2 years ago
Closed 2 years ago
AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete []) with Intl
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
108 Branch
People
(Reporter: gkw, Assigned: dminor)
References
(Regression)
Details
(Keywords: regression, testcase)
Attachments
(1 file)
|
(deleted),
text/x-phabricator-request
|
Details |
new Intl.Locale("en-u-zz-zz");
Thread 1 "js-64-asan-linu" received signal SIGSEGV, Segmentation fault.
d_demangle_callback (mangled=mangled@entry=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>, options=options@entry=3, callback=callback@entry=0xfffff75c1ca8 <__sanitizer::(anonymous namespace)::CplusV3DemangleCallback(char const*, size_t, void*)>, opaque=opaque@entry=0xfffffffef3b0) at ../../../../src/libsanitizer/libbacktrace/../../libiberty/cp-demangle.c:6254
6254 ../../../../src/libsanitizer/libbacktrace/../../libiberty/cp-demangle.c: No such file or directory.
(gdb) bt
#0 d_demangle_callback (mangled=mangled@entry=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>, options=options@entry=3,
callback=callback@entry=0xfffff75c1ca8 <__sanitizer::(anonymous namespace)::CplusV3DemangleCallback(char const*, size_t, void*)>, opaque=opaque@entry=0xfffffffef3b0)
at ../../../../src/libsanitizer/libbacktrace/../../libiberty/cp-demangle.c:6254
#1 0x0000fffff75d84cc in __asan_cplus_demangle_v3_callback (mangled=mangled@entry=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>, options=options@entry=3,
callback=callback@entry=0xfffff75c1ca8 <__sanitizer::(anonymous namespace)::CplusV3DemangleCallback(char const*, size_t, void*)>, opaque=opaque@entry=0xfffffffef3b0)
at ../../../../src/libsanitizer/libbacktrace/../../libiberty/cp-demangle.c:6517
#2 0x0000fffff75c1dac in __sanitizer::(anonymous namespace)::CplusV3Demangle (name=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>)
at ../../../../src/libsanitizer/sanitizer_common/sanitizer_symbolizer_libbacktrace.cc:72
#3 __sanitizer::DemangleAlloc (name=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>, always_alloc=true)
at ../../../../src/libsanitizer/sanitizer_common/sanitizer_symbolizer_libbacktrace.cc:196
#4 0x0000fffff75c2024 in __sanitizer::(anonymous namespace)::SymbolizeCodeCallback (symname=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>,
addr=187650002311316, vdata=0xfffffffef470) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_symbolizer_libbacktrace.cc:128
#5 __sanitizer::(anonymous namespace)::SymbolizeCodeCallback (vdata=0xfffffffef470, addr=187650002311316,
symname=0xffff6cf95225 <error: Cannot access memory at address 0xffff6cf95225>) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_symbolizer_libbacktrace.cc:123
#6 0x0000fffff75cd858 in __asan_backtrace_syminfo (state=0xfffff74ae000, pc=pc@entry=187650002311316,
callback=callback@entry=0xfffff75c1fd0 <__sanitizer::(anonymous namespace)::SymbolizeCodeCallback(void*, uintptr_t, char const*, uintptr_t, uintptr_t)>,
error_callback=error_callback@entry=0xfffff75c1bb8 <__sanitizer::(anonymous namespace)::ErrorCallback(void*, char const*, int)>, data=data@entry=0xfffffffef470)
at ../../../../src/libsanitizer/libbacktrace/../../libbacktrace/fileline.c:199
#7 0x0000fffff75c1c40 in __sanitizer::LibbacktraceSymbolizer::SymbolizePC (this=0xfffff74ad000, addr=187650002311316, stack=<optimized out>)
at ../../../../src/libsanitizer/sanitizer_common/sanitizer_symbolizer_libbacktrace.cc:166
#8 0x0000fffff75c29ec in __sanitizer::Symbolizer::SymbolizePC (this=0xfffff74ad018, addr=addr@entry=187650002311316)
at ../../../../src/libsanitizer/sanitizer_common/sanitizer_symbolizer_libcdep.cc:86
#9 0x0000fffff75bd69c in __sanitizer::StackTrace::Print (this=this@entry=0xfffffffef600) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_stacktrace_libcdep.cc:33
#10 0x0000fffff74e280c in __asan::ErrorAllocTypeMismatch::Print (this=this@entry=0xfffff76d77c8 <__asan::ScopedInErrorReport::current_error_+8>)
at ../../../../src/libsanitizer/asan/asan_errors.cc:132
#11 0x0000fffff75a5d0c in __asan::ErrorDescription::Print (this=0xfffff76d77c0 <__asan::ScopedInErrorReport::current_error_>) at ../../../../src/libsanitizer/asan/asan_errors.h:420
#12 __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xfffffffefec8, __in_chrg=<optimized out>) at ../../../../src/libsanitizer/asan/asan_report.cc:140
#13 0x0000fffff75a4170 in __asan::ReportAllocTypeMismatch (addr=addr@entry=281474752345104, free_stack=free_stack@entry=0xffffffff0b50, alloc_type=__asan::FROM_MALLOC,
dealloc_type=dealloc_type@entry=__asan::FROM_NEW_BR) at ../../../../src/libsanitizer/asan/asan_report.cc:239
#14 0x0000fffff74dad70 in __asan::Allocator::Deallocate (alloc_type=__asan::FROM_NEW_BR, stack=0xffffffff0b50, delete_alignment=0, delete_size=0, ptr=0xfffff2a07410,
this=0xfffff7635f40 <__asan::instance>) at ../../../../src/libsanitizer/asan/asan_allocator.cc:633
#15 __asan::asan_delete (ptr=0xfffff2a07410, size=0, alignment=0, stack=0xffffffff0b50, alloc_type=__asan::FROM_NEW_BR) at ../../../../src/libsanitizer/asan/asan_allocator.cc:870
#16 0x0000fffff759f0dc in operator delete[] (ptr=0xfffff2a07410) at ../../../../src/libsanitizer/asan/asan_new_delete.cc:168
#17 0x0000aaaaabbad898 in mozilla::DefaultDelete<char []>::operator() (aPtr=<optimized out>, this=0xffffffff2260)
at /home/ubuntu/shell-cache/js-64-asan-linux-aarch64-510fd2811bcd/objdir-js/dist/include/mozilla/UniquePtr.h:469
#18 mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >::reset(decltype(nullptr)) (this=0xffffffff2258)
at /home/ubuntu/shell-cache/js-64-asan-linux-aarch64-510fd2811bcd/objdir-js/dist/include/mozilla/UniquePtr.h:420
#19 mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >::~UniquePtr (this=0xffffffff2258, __in_chrg=<optimized out>)
at /home/ubuntu/shell-cache/js-64-asan-linux-aarch64-510fd2811bcd/objdir-js/dist/include/mozilla/UniquePtr.h:381
#20 mozilla::detail::VectorImpl<mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >, 2ul, mozilla::MallocAllocPolicy, false>::destroy (aEnd=0xffffffff2260,
aBegin=<optimized out>) at /home/ubuntu/shell-cache/js-64-asan-linux-aarch64-510fd2811bcd/objdir-js/dist/include/mozilla/Vector.h:161
#21 mozilla::Vector<mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >, 2ul, mozilla::MallocAllocPolicy>::~Vector (this=0xffffffff2240, __in_chrg=<optimized out>)
at /home/ubuntu/shell-cache/js-64-asan-linux-aarch64-510fd2811bcd/objdir-js/dist/include/mozilla/Vector.h:997
#22 mozilla::intl::Locale::~Locale (this=0xffffffff2200, __in_chrg=<optimized out>)
at /home/ubuntu/shell-cache/js-64-asan-linux-aarch64-510fd2811bcd/objdir-js/dist/include/mozilla/intl/Locale.h:191
#23 Locale (cx=cx@entry=0xffff70003080, argc=<optimized out>, vp=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/builtin/intl/Locale.cpp:745
#24 0x0000aaaaab14973c in CallJSNative (args=..., reason=js::CallReason::Call, native=0xaaaaabbacc30 <Locale(JSContext*, unsigned int, JS::Value*)>, cx=0xffff70003080) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:459
#25 CallJSNativeConstructor (args=..., native=0xaaaaabbacc30 <Locale(JSContext*, unsigned int, JS::Value*)>, cx=0xffff70003080) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:475
#26 InternalConstruct (cx=cx@entry=0xffff70003080, args=..., reason=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:675
#27 0x0000aaaaab14af68 in js::ConstructFromStack (cx=cx@entry=0xffff70003080, args=..., reason=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:722
#28 0x0000aaaaab0ffe30 in Interpret (cx=0xffff70003080, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3360
#29 0x0000aaaaab1427d8 in js::RunScript (cx=<optimized out>, cx@entry=0xffff70003080, state=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:431
#30 0x0000aaaaab14f4a4 in js::ExecuteKernel (result=..., evalInFrame=..., envChainArg=..., script=..., cx=0xffff70003080) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:825
#31 js::Execute (cx=cx@entry=0xffff70003080, script=..., envChain=..., rval=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/Interpreter.cpp:857
#32 0x0000aaaaab363e50 in ExecuteScript (cx=cx@entry=0xffff70003080, envChain=..., script=..., rval=rval@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:467
#33 0x0000aaaaab368d90 in JS_ExecuteScript (cx=cx@entry=0xffff70003080, scriptArg=..., scriptArg@entry=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:491
#34 0x0000aaaaaaf0e9f8 in RunFile (cx=cx@entry=0xffff70003080, filename=filename@entry=0xfffffffff089 "testcase.js", file=file@entry=0xfffff2624c00, compileMethod=compileMethod@entry=CompileUtf8::DontInflate, compileOnly=<optimized out>, fullParse=fullParse@entry=false) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:1055
#35 0x0000aaaaaafaf4cc in Process (cx=cx@entry=0xffff70003080, filename=0xfffffffff089 "testcase.js", forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:1653
#36 0x0000aaaaaafb0df8 in ProcessArgs (cx=0xffff70003080, op=op@entry=0xffffffffe7c0) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:10541
#37 0x0000aaaaaaee7320 in Shell (op=0xffffffffe7c0, cx=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:11220
#38 main (argc=<optimized out>, argv=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/shell/js.cpp:12320
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --with-ccache --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 510fd2811bcd. Run this on a aarch64 native hardware processor with Ubuntu Linux ARM64 to reproduce.
This seems to occur as far back as 8cdc7b80f4cd. Last year's builds seem to not compile properly using GCC 11 / 12, but I'm still digging in.
Setting s-s just-in-case. Not sure who to cc, so setting needinfo? from Jan as a start.
Flags: sec-bounty?
Flags: needinfo?
|
Reporter | |
Comment 1•2 years ago
|
||
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b98f10477f44
user: Dan Minor
date: Wed Oct 13 12:07:03 2021 +0000
summary: Bug 1719746 - Use intl::Locale in SpiderMonkey; r=anba
Dan, is bug 1719746 a likely regressor?
Flags: needinfo? → needinfo?(dminor)
|
|
Reporter | |
Comment 2•2 years ago
|
||
=================================================================
==22237==ERROR: AddressSanitizer: alloc-dealloc-mismatch (malloc vs operator delete []) on 0xff12789065b0
#0 0xff127d47c734 in operator delete[](void*) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:163
#1 0xab5b11c137dc in mozilla::DefaultDelete<char []>::operator()(char*) const /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/UniquePtr.h:471
#2 0xab5b11c137dc in mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >::reset(decltype(nullptr)) /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/UniquePtr.h:420
#3 0xab5b11c137dc in mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >::~UniquePtr() /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/UniquePtr.h:381
#4 0xab5b11c137dc in mozilla::detail::VectorImpl<mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >, 2ul, mozilla::MallocAllocPolicy, false>::destroy(mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >*, mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >*) /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/Vector.h:161
#5 0xab5b11c137dc in mozilla::Vector<mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >, 2ul, mozilla::MallocAllocPolicy>::~Vector() /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/Vector.h:997
#6 0xab5b11c137dc in mozilla::intl::Locale::~Locale() /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/intl/Locale.h:191
#7 0xab5b11c137dc in Locale /home/skydevkit2023/trees/mozilla-central/js/src/builtin/intl/Locale.cpp:745
#8 0xab5b1117bf24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:458
#9 0xab5b1117bf24 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:474
#10 0xab5b1117bf24 in InternalConstruct /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:674
#11 0xab5b1117da90 in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:721
#12 0xab5b11131754 in Interpret /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:3359
#13 0xab5b11174ce0 in js::RunScript(JSContext*, js::RunState&) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:430
#14 0xab5b11181370 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:824
#15 0xab5b11181370 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:856
#16 0xab5b11426f0c in ExecuteScript /home/skydevkit2023/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:462
#17 0xab5b11429510 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/skydevkit2023/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:486
#18 0xab5b10f51b54 in RunFile /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:1050
#19 0xab5b10ff2d6c in Process /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:1638
#20 0xab5b10eff16c in ProcessArgs /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:10496
#21 0xab5b10eff16c in Shell /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:11175
#22 0xab5b10eff16c in main /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:12275
#23 0xff127cf173f8 (/lib/aarch64-linux-gnu/libc.so.6+0x273f8)
#24 0xff127cf174c8 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x274c8)
#25 0xab5b10f48fac in _start (/home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/js-64-asan-linux-aarch64-ef44d7041454+0x448fac)
0xff12789065b0 is located 0 bytes inside of 5-byte region [0xff12789065b0,0xff12789065b5)
allocated by thread T0 here:
#0 0xff127d47a2f4 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0xab5b11d6ff9c in char* mozilla::MallocAllocPolicy::maybe_pod_malloc<char>(unsigned long) /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/AllocPolicy.h:83
#2 0xab5b11d6ff9c in char* mozilla::MallocAllocPolicy::pod_malloc<char>(unsigned long) /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/AllocPolicy.h:101
#3 0xab5b11d6ff9c in mozilla::Vector<char, 32ul, mozilla::MallocAllocPolicy>::extractOrCopyRawBuffer() /home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/objdir-js/dist/include/mozilla/Vector.h:1558
#4 0xab5b11d6ff9c in mozilla::intl::Locale::CanonicalizeUnicodeExtension(mozilla::UniquePtr<char [], mozilla::DefaultDelete<char []> >&) /home/skydevkit2023/trees/mozilla-central/intl/components/src/Locale.cpp:554
#5 0xab5b11d78c70 in mozilla::intl::Locale::CanonicalizeExtensions() /home/skydevkit2023/trees/mozilla-central/intl/components/src/Locale.cpp:363
#6 0xab5b11c15940 in Locale /home/skydevkit2023/trees/mozilla-central/js/src/builtin/intl/Locale.cpp:725
#7 0xab5b1117bf24 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:458
#8 0xab5b1117bf24 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:474
#9 0xab5b1117bf24 in InternalConstruct /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:674
#10 0xab5b1117da90 in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:721
#11 0xab5b11131754 in Interpret /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:3359
#12 0xab5b11174ce0 in js::RunScript(JSContext*, js::RunState&) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:430
#13 0xab5b11181370 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:824
#14 0xab5b11181370 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/skydevkit2023/trees/mozilla-central/js/src/vm/Interpreter.cpp:856
#15 0xab5b11426f0c in ExecuteScript /home/skydevkit2023/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:462
#16 0xab5b11429510 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/skydevkit2023/trees/mozilla-central/js/src/vm/CompilationAndEvaluation.cpp:486
#17 0xab5b10f51b54 in RunFile /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:1050
#18 0xab5b10ff2d6c in Process /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:1638
#19 0xab5b10eff16c in ProcessArgs /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:10496
#20 0xab5b10eff16c in Shell /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:11175
#21 0xab5b10eff16c in main /home/skydevkit2023/trees/mozilla-central/js/src/shell/js.cpp:12275
#22 0xff127cf173f8 (/lib/aarch64-linux-gnu/libc.so.6+0x273f8)
#23 0xff127cf174c8 in __libc_start_main (/lib/aarch64-linux-gnu/libc.so.6+0x274c8)
#24 0xab5b10f48fac in _start (/home/skydevkit2023/shell-cache/js-64-asan-linux-aarch64-ef44d7041454/js-64-asan-linux-aarch64-ef44d7041454+0x448fac)
SUMMARY: AddressSanitizer: alloc-dealloc-mismatch ../../../../src/libsanitizer/asan/asan_new_delete.cpp:163 in operator delete[](void*)
==22237==HINT: if you don't care about these errors you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==22237==ABORTING
In case the stack in comment 0 does not make sense, here's another stack from rev ef44d7041454., The stacktrace showing weird lines seems to be another issue...
|
||
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1719746
status-firefox106:
--- → affected
status-firefox107:
--- → affected
status-firefox-esr102:
--- → affected
Keywords: regression
|
||
Comment 4•2 years ago
|
||
This bug is caused by this line: sb.extractOrCopyRawBuffer() returns malloc'ed memory, but mozilla::intl::UniqueChars is using the default deleter which calls delete[], but we actually need to call free for malloc'ed memory. Same issue later in this file for transform extensions ("-t-").
mozilla::intl::UniqueChars either needs to be changed to use mozilla::FreePolicy or the buffer needs to be properly copied instead of extracted from the mozilla::Vector.
@arai:
It looks like there's a similar issue in WriteCachedStencil: buffer.extractOrCopyRawBuffer() returns malloc'ed memory which needs to be released through the free function, but instead is passed to mozilla::UniquePtr<char[]>, which will attempt to release the memory through delete[].
Flags: needinfo?(arai.unmht)
|
Assignee | |
Updated•2 years ago
|
Assignee: nobody → dminor
Status: NEW → ASSIGNED
Flags: needinfo?(dminor)
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
Group: core-security → javascript-core-security
|
|
||
Comment 6•2 years ago
|
||
Do you know what security implications there might be for this? I'm trying to decide how to rate this. Thanks.
Flags: needinfo?(andrebargull)
|
|
||
Comment 7•2 years ago
|
||
I don't actually know. According to this, it's probably UB. Bug 880193, comment #6 mentions it only matters when different allocators are used, so in normal browsers builds it shouldn't matter, because everything goes through jemalloc.
Flags: needinfo?(andrebargull)
|
||
Comment 8•2 years ago
|
||
(In reply to André Bargull [:anba] from comment #7)
I don't actually know. According to this, it's probably UB. Bug 880193, comment #6 mentions it only matters when different allocators are used, so in normal browsers builds it shouldn't matter, because everything goes through jemalloc.
Yes and this is one of the reasons why we don't support running with this option.
See also https://searchfox.org/mozilla-central/source/mozglue/build/AsanOptions.cpp#19-22,70
Group: javascript-core-security
Flags: sec-bounty?
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Pushed by dminor@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a39b8d04a49c Don't use extractOrCopyRawBuffer in Locale.cpp; r=anba
|
||
Comment 10•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
|
||
Updated•2 years ago
|
Flags: needinfo?(arai.unmht)
|
|
||
Updated•2 years ago
|
Flags: needinfo?(arai.unmht)
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Flags: needinfo?(arai.unmht)
You need to log in
before you can comment on or make changes to this bug.
Description
•