Closed Bug 1109547 Opened 10 years ago Closed 9 years ago

Mismatched free() / delete / delete [] in webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::UpdateEstimate

Categories

(Core :: WebRTC, defect)

Product:
Core
Component:
WebRTC
Version:
34 Branch
Platform:
x86_64
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mitchwharper, Unassigned)

Details

(Keywords: valgrind) 

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141126041045



Actual results:

==6262== Mismatched free() / delete / delete []
==6262==    at 0x4C2C2BC: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6262==    by 0x972AEC8: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::UpdateEstimate(long) (new_allocator.h:110)
==6262==    by 0x972AEF7: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::Process() (remote_bitrate_estimator_single_stream.cc:132)
==6262==    by 0x970F69C: webrtc::ProcessThreadImpl::Process() (process_thread_impl.cc:172)
==6262==    by 0x970F6E8: webrtc::ProcessThreadImpl::Run(void*) (process_thread_impl.cc:133)
==6262==    by 0x974217A: webrtc::ThreadPosix::Run() (thread_posix.cc:379)
==6262==    by 0x974227E: StartThread (thread_posix.cc:106)
==6262==    by 0x4E3F181: start_thread (pthread_create.c:312)
==6262==    by 0x595E00C: clone (clone.S:111)
==6262==  Address 0x24089440 is 0 bytes inside a block of size 4 alloc'd
==6262==    at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==6262==    by 0x40334E6: moz_xmalloc (mozalloc.cpp:52)
==6262==    by 0x855D64B: std::vector<unsigned int, std::allocator<unsigned int> >::_M_default_append(unsigned long) (mozalloc.h:201)
==6262==    by 0x972AC20: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::GetSsrcs(std::vector<unsigned int, std::allocator<unsigned int> >*) const (stl_vector.h:667)
==6262==    by 0x972AEA3: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::UpdateEstimate(long) (remote_bitrate_estimator_single_stream.cc:181)
==6262==    by 0x972AEF7: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::Process() (remote_bitrate_estimator_single_stream.cc:132)
==6262==    by 0x970F69C: webrtc::ProcessThreadImpl::Process() (process_thread_impl.cc:172)
==6262==    by 0x970F6E8: webrtc::ProcessThreadImpl::Run(void*) (process_thread_impl.cc:133)
==6262==    by 0x974217A: webrtc::ThreadPosix::Run() (thread_posix.cc:379)
==6262==    by 0x974227E: StartThread (thread_posix.cc:106)
==6262==    by 0x4E3F181: start_thread (pthread_create.c:312)
==6262==    by 0x595E00C: clone (clone.S:111)
Component: Untriaged → WebRTC
Product: Firefox → Core
Keywords: valgrind
Valgrind command: `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` on 34.0.5 release built for valgrind

Steps taken:
1. Start the browser
2. Open a new tab
3. Visit https://www.webrtc-experiment.com/RTCMultiConnection/MultiRTC/ in two separate tabs
4. Input the same room ID for both instances
5. Enable video and audio on the second tab, and allow access
6. Share my microphone and camera
7. Switch to other tab
8. Enable video and audio on first tab
9. Share camera and microphone
10. Preview camera from second user (this is where the first jump on uninitialized memory occured)
11. Preview microphone from second user
12. Switch tabs
13. Preview camera and mic from first user
14. Exit browser
Is this valid or should it be closed like this other mismatches?
Flags: needinfo?(jseward)
Run with `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file --read-inline-info=yes --fullpath-after=/home/mitchell/484/mozilla-release ./firefox` to include inline info.

Looks like mozalloc new actually is being called, then a matching delete later down the line.

==5395== Thread 84 ProcessThread:
==5395== Mismatched free() / delete / delete []
==5395==    at 0x4C2C0F1: operator delete(void*) (/home/mitchell/484/firefox/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:510)
==5395==    by 0x976998B: deallocate (/usr/include/c++/4.8/ext/new_allocator.h:110)
==5395==    by 0x976998B: _M_deallocate (/usr/include/c++/4.8/bits/stl_vector.h:174)
==5395==    by 0x976998B: ~_Vector_base (/usr/include/c++/4.8/bits/stl_vector.h:160)
==5395==    by 0x976998B: ~vector (/usr/include/c++/4.8/bits/stl_vector.h:416)
==5395==    by 0x976998B: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::UpdateEstimate(long) (/media/webrtc/trunk/webrtc/modules/remote_bitrate_estimator/remote_bitrate_estimator_single_stream.cc:182)
==5395==    by 0x97699F0: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::Process() (/media/webrtc/trunk/webrtc/modules/remote_bitrate_estimator/remote_bitrate_estimator_single_stream.cc:132)
==5395==    by 0x974E907: webrtc::ProcessThreadImpl::Process() (/media/webrtc/trunk/webrtc/modules/utility/source/process_thread_impl.cc:172)
==5395==    by 0x974E93C: webrtc::ProcessThreadImpl::Run(void*) (/media/webrtc/trunk/webrtc/modules/utility/source/process_thread_impl.cc:133)
==5395==    by 0x978039E: webrtc::ThreadPosix::Run() (/media/webrtc/trunk/webrtc/system_wrappers/source/thread_posix.cc:379)
==5395==    by 0x978045D: StartThread (/media/webrtc/trunk/webrtc/system_wrappers/source/thread_posix.cc:106)
==5395==    by 0x4E3E181: start_thread (/build/buildd/eglibc-2.19/nptl/pthread_create.c:312)
==5395==    by 0x595D00C: clone (/build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111)
==5395==  Address 0x37b1e0f0 is 0 bytes inside a block of size 4 alloc'd
==5395==    at 0x4C2ABBD: malloc (/home/mitchell/484/firefox/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:299)
==5395==    by 0x40344E6: moz_xmalloc (/memory/mozalloc/mozalloc.cpp:52)
==5395==    by 0x8547913: operator new (/ff-opt-g/gfx/2d/../../dist/include/mozilla/mozalloc.h:201)
==5395==    by 0x8547913: allocate (/usr/include/c++/4.8/ext/new_allocator.h:104)
==5395==    by 0x8547913: _M_allocate (/usr/include/c++/4.8/bits/stl_vector.h:168)
==5395==    by 0x8547913: std::vector<unsigned int, std::allocator<unsigned int> >::_M_default_append(unsigned long) (/usr/include/c++/4.8/bits/vector.tcc:549)
==5395==    by 0x97696F8: resize (/usr/include/c++/4.8/bits/stl_vector.h:667)
==5395==    by 0x97696F8: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::GetSsrcs(std::vector<unsigned int, std::allocator<unsigned int> >*) const (/media/webrtc/trunk/webrtc/modules/remote_bitrate_estimator/remote_bitrate_estimator_single_stream.cc:225)
==5395==    by 0x976996A: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::UpdateEstimate(long) (/media/webrtc/trunk/webrtc/modules/remote_bitrate_estimator/remote_bitrate_estimator_single_stream.cc:181)
==5395==    by 0x97699F0: webrtc::(anonymous namespace)::RemoteBitrateEstimatorSingleStream::Process() (/media/webrtc/trunk/webrtc/modules/remote_bitrate_estimator/remote_bitrate_estimator_single_stream.cc:132)
==5395==    by 0x974E907: webrtc::ProcessThreadImpl::Process() (/media/webrtc/trunk/webrtc/modules/utility/source/process_thread_impl.cc:172)
==5395==    by 0x974E93C: webrtc::ProcessThreadImpl::Run(void*) (/media/webrtc/trunk/webrtc/modules/utility/source/process_thread_impl.cc:133)
==5395==    by 0x978039E: webrtc::ThreadPosix::Run() (/media/webrtc/trunk/webrtc/system_wrappers/source/thread_posix.cc:379)
==5395==    by 0x978045D: StartThread (/media/webrtc/trunk/webrtc/system_wrappers/source/thread_posix.cc:106)
==5395==    by 0x4E3E181: start_thread (/build/buildd/eglibc-2.19/nptl/pthread_create.c:312)
==5395==    by 0x595D00C: clone (/build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111)
Yes.  What you can now see, as a result of using --read-inline-info=yes,
is that new got inlined into its caller

  by 0x8547913: operator new (/ff-opt-g/gfx/2d/../../dist/include/mozilla/mozalloc.h:201)
  by 0x8547913: allocate (/usr/include/c++/4.8/ext/new_allocator.h:104)

(we know that because the program counter values are the same)

This renders it un-interceptable, and Memcheck sees only the call to
malloc.  Whereas the delete call didn't get inlined

  at 0x4C2C0F1: operator delete(void*) (/home/mitchell/484/firefox/valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:510)
  by 0x976998B: deallocate (/usr/include/c++/4.8/ext/new_allocator.h:110)

(hence different PCs) and so Memcheck sees it directly.

So this bug can be closed-as-invalid.
Flags: needinfo?(jseward)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.