Closed
Bug 777776
Opened 12 years ago
Closed 12 years ago
Invalid read of size 1 or invalid write of size 1 [@ JSScript::markChildren]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: Benjamin)
References
Details
(5 keywords, Whiteboard: [js:p1:fx17][fuzzblocker][qa-])
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
gczeal(9, 2)
for (a = 0; a < 4; ++a) {
b =
evaluate("/x/g");
}
causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.
Reporter | ||
Comment 1•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 99950:e080642175e6
user: Benjamin Peterson
date: Fri Jul 20 20:17:38 2012 +0200
summary: Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger
During reduction, this testcase has also been known to crash with malloc errors.
Blocks: savesource
Keywords: crash,
regression
Assignee | ||
Comment 2•12 years ago
|
||
I can't reproduce on Linux 64-bit.
Also, what does "crash with malloc errors" mean?
Reporter | ||
Comment 3•12 years ago
|
||
(In reply to Benjamin Peterson from comment #2)
> I can't reproduce on Linux 64-bit.
>
> Also, what does "crash with malloc errors" mean?
My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry?
Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message.
A similar error message can be found here: bug 736609 comment 0
Assignee | ||
Comment 4•12 years ago
|
||
--enable-more-determinism seems to do the trick.
Updated•12 years ago
|
Whiteboard: [js:p1:fx17]
Assignee | ||
Comment 5•12 years ago
|
||
Assignee: general → bpeterson
Attachment #646634 -
Flags: review?(terrence)
Reporter | ||
Comment 6•12 years ago
|
||
This bug throws up a lot of weird duplicate errors.
Whiteboard: [js:p1:fx17] → [js:p1:fx17][fuzzblocker]
Updated•12 years ago
|
Attachment #646634 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Assignee | ||
Comment 8•12 years ago
|
||
And backedout for bustage: https://hg.mozilla.org/integration/mozilla-inbound/rev/c394a354eef7
Assignee | ||
Comment 9•12 years ago
|
||
Assignee | ||
Comment 10•12 years ago
|
||
Backed out again: https://hg.mozilla.org/integration/mozilla-inbound/rev/a04448be734a
Reporter | ||
Comment 11•12 years ago
|
||
Try using the Try Server first:
https://wiki.mozilla.org/ReleaseEngineering/TryServer
Assignee | ||
Comment 12•12 years ago
|
||
Assignee | ||
Comment 13•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → fixed
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Keywords: sec-critical
Keywords: verifyme
Whiteboard: [js:p1:fx17][fuzzblocker] → [js:p1:fx17][fuzzblocker][qa-]
Reporter | ||
Comment 14•12 years ago
|
||
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•