Closed Bug 901461 Opened 11 years ago Closed 3 years ago

ThreadProfile::BuildJSObject reads freed memory

Categories

(Core :: Gecko Profiler, defect)

Product:
Core
Component:
Gecko Profiler
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jseward, Unassigned)

References

(Blocks 1 open bug)

Details

MOZ_PROFILER_NEW=1 MOZ_PROFILER_VERBOSE=1 MOZ_PROFILER_MODE=combined \ MOZ_PROFILER_INTERVAL=50 vTRUNK --fair-sched=yes \ --smc-check=all-non-file \ ./ff-opt-linux/dist/bin/firefox-bin -P dev -no-remote Leave to start up, then click on Profile->Analyse on the plugin menu. Then the following invalid reads happen. Not sure if this is a race with some other thread, or what. Thread 1: Invalid read of size 1 at 0x704B2E4: JSObjectBuilder::ArrayPush(JSCustomArray*, char const*) (JSObjectBuilder.cpp:105) by 0x70498FD: ThreadProfile::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (ProfileEntry.cpp:364) by 0x7043BA2: TableTicker::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (TableTicker.cpp:256) by 0x7043E8A: TableTicker::ToJSObject(JSContext*) (TableTicker.cpp:162) by 0x703F938: mozilla_sampler_get_profile_data(JSContext*) (platform.cpp:382) by 0x7041659: nsProfiler::GetProfileData(JSContext*, JS::Value*) (GeckoProfilerImpl.h:113) by 0x7793192: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:164) by 0x6BE41EB: CallMethodHelper::Call() (XPCWrappedNative.cpp:2805) by 0x6BE4B44: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2109) by 0x6BEC37B: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1315) by 0x7FED4FA: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (jscntxtinlines.h:225) by 0x7FFC1D9: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:486) Address 0x18053ac0 is 80 bytes inside a block of size 260 free'd at 0x480780A: free (vg_replace_malloc.c:468) by 0x481B196: moz_free (mozalloc.cpp:48) by 0x76FE6CB: PL_DHashFreeTable (pldhash.cpp:89) by 0x76FEDA4: PL_DHashTableFinish (pldhash.cpp:370) by 0x588A6D0: nsTHashtable<nsCookieKey>::~nsTHashtable() (nsTHashtable.h:385) by 0x61C5760: RangeHashTableDtor(void*, nsIAtom*, void*, void*) (nsRange.cpp:308) by 0x61C32B1: nsPropertyTable::PropertyList::DeletePropertyFor(nsPropertyOwner) (nsPropertyTable.cpp:340) by 0x61C3346: nsPropertyTable::DeleteProperty(nsPropertyOwner, nsIAtom*) (nsPropertyTable.cpp:263) by 0x6184F72: nsINode::DeleteProperty(unsigned short, nsIAtom*) (nsINode.cpp:177) by 0x61C4BFC: nsRange::UnregisterCommonAncestor(nsINode*) (nsINode.h:681) by 0x5E81CB0: mozilla::Selection::Clear(nsPresContext*) (nsRange.h:150) by 0x5E84343: mozilla::Selection::Collapse(nsINode*, int) (nsSelection.cpp:4393) Invalid read of size 1 at 0x82776A8: JSFlatString* js_NewStringCopyN<(js::AllowGC)1>(js::ThreadSafeContext*, char const*, unsigned long) (String-inl.h:36) by 0x810B334: JS_NewStringCopyN(JSContext*, char const*, unsigned long) (jsapi.cpp:5489) by 0x704B2F5: JSObjectBuilder::ArrayPush(JSCustomArray*, char const*) (JSObjectBuilder.cpp:105) by 0x70498FD: ThreadProfile::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (ProfileEntry.cpp:364) by 0x7043BA2: TableTicker::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (TableTicker.cpp:256) by 0x7043E8A: TableTicker::ToJSObject(JSContext*) (TableTicker.cpp:162) by 0x703F938: mozilla_sampler_get_profile_data(JSContext*) (platform.cpp:382) by 0x7041659: nsProfiler::GetProfileData(JSContext*, JS::Value*) (GeckoProfilerImpl.h:113) by 0x7793192: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:164) by 0x6BE41EB: CallMethodHelper::Call() (XPCWrappedNative.cpp:2805) by 0x6BE4B44: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2109) by 0x6BEC37B: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (XPCWrappedNativeJSOps.cpp:1315) Address 0x8f1ba650 is not stack'd, malloc'd or (recently) free'd Invalid read of size 1 at 0x827259A: js::InflateString(js::ThreadSafeContext*, char const*, unsigned long*) (jsstr.cpp:3979) by 0x82775B1: JSFlatString* js_NewStringCopyN<(js::AllowGC)1>(js::ThreadSafeContext*, char const*, unsigned long) (jsstr.cpp:3689) by 0x810B334: JS_NewStringCopyN(JSContext*, char const*, unsigned long) (jsapi.cpp:5489) by 0x704B2F5: JSObjectBuilder::ArrayPush(JSCustomArray*, char const*) (JSObjectBuilder.cpp:105) by 0x70498FD: ThreadProfile::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (ProfileEntry.cpp:364) by 0x7043BA2: TableTicker::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (TableTicker.cpp:256) by 0x7043E8A: TableTicker::ToJSObject(JSContext*) (TableTicker.cpp:162) by 0x703F938: mozilla_sampler_get_profile_data(JSContext*) (platform.cpp:382) by 0x7041659: nsProfiler::GetProfileData(JSContext*, JS::Value*) (GeckoProfilerImpl.h:113) by 0x7793192: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:164) by 0x6BE41EB: CallMethodHelper::Call() (XPCWrappedNative.cpp:2805) by 0x6BE4B44: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2109) Address 0x3a1af3c0 is 496 bytes inside a block of size 504 free'd at 0x480780A: free (vg_replace_malloc.c:468) by 0x481B196: moz_free (mozalloc.cpp:48) by 0x58BB9B5: std::_Deque_base<dwarf2reader::CallFrameInfo::RuleMap, std::allocator<dwarf2reader::CallFrameInfo::RuleMap> >::_M_destroy_nodes(dwarf2reader::CallFrameInfo::RuleMap**, dwarf2reader::CallFrameInfo::RuleMap**) (mozalloc.h:225) by 0x58BB9E6: std::_Deque_base<dwarf2reader::CallFrameInfo::RuleMap, std::allocator<dwarf2reader::CallFrameInfo::RuleMap> >::~_Deque_base() (stl_deque.h:566) by 0x58BE183: dwarf2reader::CallFrameInfo::Start() (stl_deque.h:907) by 0x58CA6EE: bool (anonymous namespace)::LoadDwarfCFI<google_breakpad::ElfClass64>(std::string const&, google_breakpad::ElfClass64::Ehdr const*, char const*, google_breakpad::ElfClass64::Shdr const*, bool, google_breakpad::ElfClass64::Shdr const*, google_breakpad::ElfClass64::Shdr const*, bool, google_breakpad::Module*) (dump_symbols.cc:350) by 0x58CC7C3: bool (anonymous namespace)::LoadSymbols<google_breakpad::ElfClass64>(std::string const&, bool, google_breakpad::ElfClass64::Ehdr const*, bool, (anonymous namespace)::LoadSymbolsInfo<google_breakpad::ElfClass64>*, SymbolData, google_breakpad::Module*) (dump_symbols.cc:682) by 0x58CF681: google_breakpad::ReadSymbolDataInternal(unsigned char const*, std::string const&, std::vector<std::string, std::allocator<std::string> > const&, SymbolData, google_breakpad::Module**) (dump_symbols.cc:878) by 0x58D00B7: google_breakpad::ReadSymbolData(std::string const&, std::vector<std::string, std::allocator<std::string> > const&, SymbolData, google_breakpad::Module**) (dump_symbols.cc:982) by 0x704ABB1: google_breakpad::LocalDebugInfoSymbolizer::FillSourceLineInfo(google_breakpad::CodeModules const*, google_breakpad::SystemInfo const*, google_breakpad::StackFrame*) (local_debug_info_symbolizer.cc:173) by 0x58D8C2B: google_breakpad::Stackwalker::Walk(google_breakpad::CallStack*, std::vector<google_breakpad::CodeModule const*, std::allocator<google_breakpad::CodeModule const*> >*, google_breakpad::Stackwalker::FrameAuditor*) (stackwalker.cc:100) by 0x7047CCC: do_breakpad_unwind_Buffer(PCandSP**, unsigned int*, _UnwinderThreadBuffer*, int) (UnwinderThread2.cpp:1969) Invalid read of size 1 at 0x82725AA: js::InflateString(js::ThreadSafeContext*, char const*, unsigned long*) (jsstr.cpp:3978) by 0x82775B1: JSFlatString* js_NewStringCopyN<(js::AllowGC)1>(js::ThreadSafeContext*, char const*, unsigned long) (jsstr.cpp:3689) by 0x810B334: JS_NewStringCopyN(JSContext*, char const*, unsigned long) (jsapi.cpp:5489) by 0x704B2F5: JSObjectBuilder::ArrayPush(JSCustomArray*, char const*) (JSObjectBuilder.cpp:105) by 0x70498FD: ThreadProfile::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (ProfileEntry.cpp:364) by 0x7043BA2: TableTicker::BuildJSObject(JSAObjectBuilder&, JSCustomObject*) (TableTicker.cpp:256) by 0x7043E8A: TableTicker::ToJSObject(JSContext*) (TableTicker.cpp:162) by 0x703F938: mozilla_sampler_get_profile_data(JSContext*) (platform.cpp:382) by 0x7041659: nsProfiler::GetProfileData(JSContext*, JS::Value*) (GeckoProfilerImpl.h:113) by 0x7793192: NS_InvokeByIndex (xptcinvoke_x86_64_unix.cpp:164) by 0x6BE41EB: CallMethodHelper::Call() (XPCWrappedNative.cpp:2805) by 0x6BE4B44: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (XPCWrappedNative.cpp:2109) Address 0x3a1af3c2 is 498 bytes inside a block of size 504 free'd at 0x480780A: free (vg_replace_malloc.c:468) by 0x481B196: moz_free (mozalloc.cpp:48) by 0x58BB9B5: std::_Deque_base<dwarf2reader::CallFrameInfo::RuleMap, std::allocator<dwarf2reader::CallFrameInfo::RuleMap> >::_M_destroy_nodes(dwarf2reader::CallFrameInfo::RuleMap**, dwarf2reader::CallFrameInfo::RuleMap**) (mozalloc.h:225) by 0x58BB9E6: std::_Deque_base<dwarf2reader::CallFrameInfo::RuleMap, std::allocator<dwarf2reader::CallFrameInfo::RuleMap> >::~_Deque_base() (stl_deque.h:566) by 0x58BE183: dwarf2reader::CallFrameInfo::Start() (stl_deque.h:907) by 0x58CA6EE: bool (anonymous namespace)::LoadDwarfCFI<google_breakpad::ElfClass64>(std::string const&, google_breakpad::ElfClass64::Ehdr const*, char const*, google_breakpad::ElfClass64::Shdr const*, bool, google_breakpad::ElfClass64::Shdr const*, google_breakpad::ElfClass64::Shdr const*, bool, google_breakpad::Module*) (dump_symbols.cc:350) by 0x58CC7C3: bool (anonymous namespace)::LoadSymbols<google_breakpad::ElfClass64>(std::string const&, bool, google_breakpad::ElfClass64::Ehdr const*, bool, (anonymous namespace)::LoadSymbolsInfo<google_breakpad::ElfClass64>*, SymbolData, google_breakpad::Module*) (dump_symbols.cc:682) by 0x58CF681: google_breakpad::ReadSymbolDataInternal(unsigned char const*, std::string const&, std::vector<std::string, std::allocator<std::string> > const&, SymbolData, google_breakpad::Module**) (dump_symbols.cc:878) by 0x58D00B7: google_breakpad::ReadSymbolData(std::string const&, std::vector<std::string, std::allocator<std::string> > const&, SymbolData, google_breakpad::Module**) (dump_symbols.cc:982) by 0x704ABB1: google_breakpad::LocalDebugInfoSymbolizer::FillSourceLineInfo(google_breakpad::CodeModules const*, google_breakpad::SystemInfo const*, google_breakpad::StackFrame*) (local_debug_info_symbolizer.cc:173) by 0x58D8C2B: google_breakpad::Stackwalker::Walk(google_breakpad::CallStack*, std::vector<google_breakpad::CodeModule const*, std::allocator<google_breakpad::CodeModule const*> >*, google_breakpad::Stackwalker::FrameAuditor*) (stackwalker.cc:100) by 0x7047CCC: do_breakpad_unwind_Buffer(PCandSP**, unsigned int*, _UnwinderThreadBuffer*, int) (UnwinderThread2.cpp:1969)
Blocks: 1329181

This code doesn't exist anymore, so I'll call this bug effectively fixed.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.