probably "use after free" in js 1_7 bclary's test using a tool that clears free()ed and delete'd memory shows a potential use after free probably in iterators. LD_PRELOAD http://www.guninski.com/free-pub.tar.gz or (almost sure will do, though not tested) on freebsd set MALLOC_OPTIONS=J, go to http://test.bclary.com/tests/mozilla.org/js/menu.html -> js1_7 select all of js1_7 run tests on pythonic generators and sometimes "iteration": #6 0xb7f238bb in ah_crap_handler (signum=11) at nsSigHandlers.cpp:133 #7 0xb7f3b888 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:210 #8 <signal handler called> #9 0xb7e1c089 in js_Interpret (cx=0x98a4208, pc=0x93de639 'Ð' <repeats 71 times>, "X", result=0xbffa0060) at /opt/joro/firefox/mozilla/js/src/jsinterp.c:6264 #10 0xb7e1ebf6 in generator_send (cx=0x98a4208, obj=0x8cf4aa8, argc=0, argv=0x9810028, rval=0xbffa01b0) at /opt/joro/firefox/mozilla/js/src/jsiter.c:788 #11 0xb7e1ed51 in generator_close (cx=0x98a4208, obj=0x8cf4aa8, argc=0, argv=0x9810028, rval=0xbffa01b0) at /opt/joro/firefox/mozilla/js/src/jsiter.c:838 #12 0xb7dfa1ab in js_Invoke (cx=0x98a4208, argc=0, flags=2) at /opt/joro/firefox/mozilla/js/src/jsinterp.c:1349 #13 0xb7dfa5d8 in js_InternalInvoke (cx=0x98a4208, obj=0x8cf4aa8, fval=147809160, flags=0, argc=0, argv=0x0, rval=0xbffa0324) (gdb) x/i $eip 0xb7e1c089 <js_Interpret+131341>: mov (%eax),%edx (gdb) p/x $eax $1 = 0xd0d0d0d0 0xd0d0d0d0 is the value with which free memory is filled. the trouble may be caused by some of bclary's previous tests. firefox 2.0b also crashes under these circumstances, 1.5 seems safe.

bclary, is there are a set of testcases that cover a lot of functionality to test them for use after free?

Georgi, I added you to the cc list for bug 343455 and bug 342793. This may be a dupe of one of them. (In reply to comment #1) > bclary, is there are a set of testcases that cover a lot of functionality to > test them for use after free? > Any type of test? You can try <http://test.bclary.com/tests/w3.org/2001/DOM-Test-Suite/interactive.html> <http://archive.bclary.com/bc-dom-tests/>

(In reply to comment #2) > Any type of test? You can try > <http://test.bclary.com/tests/w3.org/2001/DOM-Test-Suite/interactive.html> > <http://archive.bclary.com/bc-dom-tests/> > thanks. are there collected tests for things other than dom/js - like networking, xml, graphics? would like to run the tests while clearing freed/deleted memory.

(In reply to comment #2) > Georgi, I added you to the cc list for bug 343455 and bug 342793. This may be a > dupe of one of them. > yes, almost certainly it is a dupe. with vanilla firefox i don't crash on the above. but when clearing memory on free via LD_PRELOAD i crash *reliably*.

This crashes fairly reliably to me with the same stack as in the initial comment.

Bug 344921 Comment #7 may be related to this. not sure if it is fixed.

ooops, i mean Bug 343455 Comment #7

*** This bug has been marked as a duplicate of 343455 ***