Closed Bug 1109543 Opened 10 years ago Closed 10 years ago

Mismatched free() / delete / delete [] in webrtc::AudioConferenceMixerImpl::Init()

Categories

(Core :: WebRTC, defect)

Product:
Core
Component:
WebRTC
Version:
34 Branch
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mitchwharper, Unassigned)

Details

(Keywords: valgrind) 

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141126041045



Actual results:

==6262== Mismatched free() / delete / delete []
==6262==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6262==    by 0x40334D8: moz_free (mozalloc.cpp:46)
==6262==    by 0x9269457: std::_Rb_tree<void*, std::pair<void* const, webrtc::Config::BaseOption*>, std::_Select1st<std::pair<void* const, webrtc::Config::BaseOption*> >, std::less<void*>, std::allocator<std::pair<void* const, webrtc::Config::BaseOption*> > >::_M_erase(std::_Rb_tree_node<std::pair<void* const, webrtc::Config::BaseOption*> >*) (new_allocator.h:110)
==6262==    by 0x9712ACC: webrtc::AudioConferenceMixerImpl::Init() (stl_tree.h:671)
==6262==    by 0x9712BCC: webrtc::AudioConferenceMixer::Create(int) (audio_conference_mixer_impl.cc:109)
==6262==    by 0x9753B33: webrtc::voe::OutputMixer::OutputMixer(unsigned int) (output_mixer.cc:120)
==6262==    by 0x9753CFB: webrtc::voe::OutputMixer::Create(webrtc::voe::OutputMixer*&, unsigned int) (output_mixer.cc:106)
==6262==    by 0x9755365: webrtc::voe::SharedData::SharedData(webrtc::Config const&) (shared_data.cc:37)
==6262==    by 0x9769A5E: webrtc::GetVoiceEngine(webrtc::Config const*, bool) (voice_engine_impl.h:142)
==6262==    by 0x9769E0A: webrtc::VoiceEngine::Create() (voice_engine_impl.cc:85)
==6262==    by 0x92689A1: mozilla::MediaEngineWebRTC::EnumerateAudioDevices(mozilla::MediaSourceType, nsTArray<nsRefPtr<mozilla::MediaEngineAudioSource> >*) (MediaEngineWebRTC.cpp:310)
==6262==    by 0x8E25EA0: nsTArray<nsCOMPtr<nsIMediaDevice> >* mozilla::GetSources<mozilla::MediaEngineAudioSource, mozilla::AudioTrackConstraintsN>(mozilla::MediaEngine*, mozilla::AudioTrackConstraintsN&, void (mozilla::MediaEngine::*)(mozilla::MediaSourceType, nsTArray<nsRefPtr<mozilla::MediaEngineAudioSource> >*), char const*) (MediaManager.cpp:923)
==6262==  Address 0x46443db0 is 0 bytes inside a block of size 48 alloc'd
==6262==    at 0x4C2B0E0: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6262==    by 0x97135E7: void webrtc::Config::Set<webrtc::ExperimentalAgc>(webrtc::ExperimentalAgc*) (new_allocator.h:104)
==6262==    by 0x97129F3: webrtc::AudioConferenceMixerImpl::Init() (audio_conference_mixer_impl.cc:149)
==6262==    by 0x9712BCC: webrtc::AudioConferenceMixer::Create(int) (audio_conference_mixer_impl.cc:109)
==6262==    by 0x9753B33: webrtc::voe::OutputMixer::OutputMixer(unsigned int) (output_mixer.cc:120)
==6262==    by 0x9753CFB: webrtc::voe::OutputMixer::Create(webrtc::voe::OutputMixer*&, unsigned int) (output_mixer.cc:106)
==6262==    by 0x9755365: webrtc::voe::SharedData::SharedData(webrtc::Config const&) (shared_data.cc:37)
==6262==    by 0x9769A5E: webrtc::GetVoiceEngine(webrtc::Config const*, bool) (voice_engine_impl.h:142)
==6262==    by 0x9769E0A: webrtc::VoiceEngine::Create() (voice_engine_impl.cc:85)
==6262==    by 0x92689A1: mozilla::MediaEngineWebRTC::EnumerateAudioDevices(mozilla::MediaSourceType, nsTArray<nsRefPtr<mozilla::MediaEngineAudioSource> >*) (MediaEngineWebRTC.cpp:310)
==6262==    by 0x8E25EA0: nsTArray<nsCOMPtr<nsIMediaDevice> >* mozilla::GetSources<mozilla::MediaEngineAudioSource, mozilla::AudioTrackConstraintsN>(mozilla::MediaEngine*, mozilla::AudioTrackConstraintsN&, void (mozilla::MediaEngine::*)(mozilla::MediaSourceType, nsTArray<nsRefPtr<mozilla::MediaEngineAudioSource> >*), char const*) (MediaManager.cpp:923)
==6262==    by 0x8E29EEB: mozilla::GetUserMediaDevicesTask::Run() (MediaManager.cpp:1379)
Component: Untriaged → WebRTC
Product: Firefox → Core
Flags: needinfo?(rjesup)
Keywords: valgrind
Valgrind command: `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` on Firefox 34.0.5 release

Steps taken:
1. Start the browser
2. Open a new tab
3. Visit https://www.webrtc-experiment.com/RTCMultiConnection/MultiRTC/ in two separate tabs
4. Input the same room ID for both instances
5. Enable video and audio on the second tab, and allow access
6. Share my microphone and camera
7. Switch to other tab
8. Enable video and audio on first tab
9. Share camera and microphone
10. Preview camera from second user (this is where the first jump on uninitialized memory occured)
11. Preview microphone from second user
12. Switch tabs
13. Preview camera and mic from first user
14. Exit browser
Flags: needinfo?(rjesup)
Reproducible in Firefox 37
Seems to be spurious, looking at the code delete is actually called at audio_conference_mixer_impl.cc:109

109        delete audioDevice;
Invalid, caused by differential inlining of new vs delete.
Please use --show-mismatched-frees=no for the time being.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.