Bug 1396361 - Avoid crashing when some system library calls malloc_zone_free(zone, NULL). r=njn
authorMike Hommey <mh+mozilla@glandium.org>
Mon, 04 Sep 2017 07:32:42 +0900
changeset 428188 488a3f27fb3506698d58361c8fcf691d4913661a
parent 428187 8dfc55a89fc95f57714a94d263cc7fd68946d0ce
child 428189 ee17f3b7ad64054aa566d6803652acca7f396d3e
push id7761
push userjlund@mozilla.com
push dateFri, 15 Sep 2017 00:19:52 +0000
treeherdermozilla-beta@c38455951db4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnjn
bugs1396361
milestone57.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1396361 - Avoid crashing when some system library calls malloc_zone_free(zone, NULL). r=njn Some system libraries call malloc_zone_free directly instead of free, and sometimes they do that with the wrong zone. When that happens, we circle back, trying to find the right zone, and call malloc_zone_free with the right one, but when we can't find one, we crash, which matches what the system free() would do. Except in one case where the pointer we're being passed is NULL, in which case we can't trace it back to any zone, but shouldn't crash (system free() explicitly doesn't crash in that case).
memory/build/zone.c
--- a/memory/build/zone.c
+++ b/memory/build/zone.c
@@ -148,16 +148,19 @@ zone_realloc(malloc_zone_t *zone, void *
 static void
 other_zone_free(malloc_zone_t* original_zone, void* ptr)
 {
   // Sometimes, system libraries call malloc_zone_* functions with the wrong
   // zone (e.g. CoreFoundation does). In that case, we need to find the real
   // one. We can't call libSystem's free directly because we're exporting
   // free from libmozglue and we'd pick that one, so we manually find the
   // right zone and free with it.
+  if (!ptr) {
+    return;
+  }
   malloc_zone_t* zone = malloc_zone_from_ptr(ptr);
   // The system allocator crashes voluntarily by default when a pointer can't
   // be traced back to a zone. Do the same.
   MOZ_RELEASE_ASSERT(zone);
   MOZ_RELEASE_ASSERT(zone != original_zone);
   return malloc_zone_free(zone, ptr);
 }