Bug 1396361 - Avoid crashing when some system library calls malloc_zone_free(zone, NULL). r?njn
Some system libraries call malloc_zone_free directly instead of free,
and sometimes they do that with the wrong zone. When that happens, we
circle back, trying to find the right zone, and call malloc_zone_free
with the right one, but when we can't find one, we crash, which matches
what the system free() would do. Except in one case where the pointer
we're being passed is NULL, in which case we can't trace it back to any
zone, but shouldn't crash (system free() explicitly doesn't crash in
that case).
--- a/memory/build/zone.c
+++ b/memory/build/zone.c
@@ -148,16 +148,19 @@ zone_realloc(malloc_zone_t *zone, void *
static void
other_zone_free(malloc_zone_t* original_zone, void* ptr)
{
// Sometimes, system libraries call malloc_zone_* functions with the wrong
// zone (e.g. CoreFoundation does). In that case, we need to find the real
// one. We can't call libSystem's free directly because we're exporting
// free from libmozglue and we'd pick that one, so we manually find the
// right zone and free with it.
+ if (!ptr) {
+ return;
+ }
malloc_zone_t* zone = malloc_zone_from_ptr(ptr);
// The system allocator crashes voluntarily by default when a pointer can't
// be traced back to a zone. Do the same.
MOZ_RELEASE_ASSERT(zone);
MOZ_RELEASE_ASSERT(zone != original_zone);
return malloc_zone_free(zone, ptr);
}