Closed
Bug 1109554
Opened 9 years ago
Closed 9 years ago
Mismatched free() / delete / delete [] in ots::ots_post_free
Categories
(Core :: Graphics: Text, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mitchwharper, Unassigned)
Details
(Keywords: valgrind)
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Build ID: 20141126041045 Actual results: ==3123== Mismatched free() / delete / delete [] ==3123== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==3123== by 0x40334D8: moz_free (mozalloc.cpp:46) ==3123== by 0x9E05A0E: ots::ots_post_free(ots::OpenTypeFile*) (mozalloc.h:225) ==3123== by 0x9E04040: ots::OTSContext::Process(ots::OTSStream*, unsigned char const*, unsigned long) (ots.cc:829) ==3123== by 0x869D8D9: gfxProxyFontEntry::SanitizeOpenTypeData(gfxMixedFontFamily*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:238) ==3123== by 0x869E464: gfxProxyFontEntry::LoadFont(gfxMixedFontFamily*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:500) ==3123== by 0x869F414: gfxUserFontSet::OnLoadComplete(gfxMixedFontFamily*, gfxProxyFontEntry*, unsigned char const*, unsigned int, tag_nsresult) (gfxUserFontSet.cpp:767) ==3123== by 0x93C4190: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, tag_nsresult, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:219) ==3123== by 0x7E3DA4E: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsStreamLoader.cpp:101) ==3123== by 0x90C476A: nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsCrossSiteListenerProxy.cpp:619) ==3123== by 0x7F0CAC5: mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsHttpChannel.cpp:5203) ==3123== by 0x7E26F8A: nsInputStreamPump::OnStateStop() (nsInputStreamPump.cpp:721) ==3123== Address 0x37167550 is 0 bytes inside a block of size 110 alloc'd ==3123== at 0x4C2B0E0: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==3123== by 0x96FA8FF: std::vector<unsigned short, std::allocator<unsigned short> >::_M_default_append(unsigned long) (new_allocator.h:104) ==3123== by 0x9E05E85: ots::ots_post_parse(ots::OpenTypeFile*, unsigned char const*, unsigned long) (stl_vector.h:667) ==3123== by 0x9E02FF0: (anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, unsigned int, ots::OTSStream*, unsigned char const*, unsigned long, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&) (ots.cc:590) ==3123== by 0x9E04C27: ots::OTSContext::Process(ots::OTSStream*, unsigned char const*, unsigned long) (ots.cc:396) ==3123== by 0x869D8D9: gfxProxyFontEntry::SanitizeOpenTypeData(gfxMixedFontFamily*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:238) ==3123== by 0x869E464: gfxProxyFontEntry::LoadFont(gfxMixedFontFamily*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:500) ==3123== by 0x869F414: gfxUserFontSet::OnLoadComplete(gfxMixedFontFamily*, gfxProxyFontEntry*, unsigned char const*, unsigned int, tag_nsresult) (gfxUserFontSet.cpp:767) ==3123== by 0x93C4190: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, tag_nsresult, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:219) ==3123== by 0x7E3DA4E: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsStreamLoader.cpp:101) ==3123== by 0x90C476A: nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsCrossSiteListenerProxy.cpp:619) ==3123== by 0x7F0CAC5: mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsHttpChannel.cpp:5203)
Updated•9 years ago
|
Component: Untriaged → Graphics: Text
Flags: needinfo?(jdaggett)
Product: Firefox → Core
Reporter | ||
Comment 1•9 years ago
|
||
Valgrind command: `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` on 34.0.5 release built for valgrind Steps taken: 1. Start the browser 2. Open a new tab 3. Visit https://www.webrtc-experiment.com/RTCMultiConnection/MultiRTC/ in two separate tabs 4. Input the same room ID for both instances 5. Enable video and audio on the second tab, and allow access 6. Share my microphone and camera 7. Switch to other tab 8. Enable video and audio on first tab 9. Share camera and microphone 10. Preview camera from second user (this is where the first jump on uninitialized memory occured) 11. Preview microphone from second user 12. Switch tabs 13. Preview camera and mic from first user 14. Exit browser
Reporter | ||
Comment 2•9 years ago
|
||
This is a spurious complaint, delete is actually called at http://mxr.mozilla.org/mozilla-release/source/gfx/ots/src/post.cc#183 182 void ots_post_free(OpenTypeFile *file) { 183 delete file->post; 184 }
Comment 3•9 years ago
|
||
This is puzzling. Is ots_post_free getting called twice? Does the same error occur for other tables in the font? The exact same pattern is used across OTS code so I would expect if it occurred for one table it should occur for others. Jonathan, any ideas why 'post' table handling would be different?
Flags: needinfo?(jdaggett)
Comment 4•9 years ago
|
||
(In reply to John Daggett (:jtd) from comment #3) > This is puzzling. Is ots_post_free getting called twice? Does the same error > occur for other tables in the font? The exact same pattern is used across > OTS code so I would expect if it occurred for one table it should occur for > others. > > Jonathan, any ideas why 'post' table handling would be different? Nope. AFAICS either there's something broken in the mozalloc implementation of new/delete (but I don't see why that would affect only the 'post' table), or else valgrind is confused.
Reporter | ||
Comment 5•9 years ago
|
||
I believe jsweard said often errors like this are spurious due to inlining of delete-calls-free.
Comment 6•9 years ago
|
||
Julian: given comment 2 and comment 5 is this bug invalid/worksforme? Or is there something to fix here?
Flags: needinfo?(jseward)
Comment 7•9 years ago
|
||
Yeah, this is a false positive.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jseward)
Resolution: --- → INVALID
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•