Closed Bug 1109554 Opened 9 years ago Closed 9 years ago

Mismatched free() / delete / delete [] in ots::ots_post_free

Categories

(Core :: Graphics: Text, defect)

34 Branch
x86_64
Windows 8
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: mitchwharper, Unassigned)

Details

(Keywords: valgrind)

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141126041045



Actual results:

==3123== Mismatched free() / delete / delete []
==3123==    at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3123==    by 0x40334D8: moz_free (mozalloc.cpp:46)
==3123==    by 0x9E05A0E: ots::ots_post_free(ots::OpenTypeFile*) (mozalloc.h:225)
==3123==    by 0x9E04040: ots::OTSContext::Process(ots::OTSStream*, unsigned char const*, unsigned long) (ots.cc:829)
==3123==    by 0x869D8D9: gfxProxyFontEntry::SanitizeOpenTypeData(gfxMixedFontFamily*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:238)
==3123==    by 0x869E464: gfxProxyFontEntry::LoadFont(gfxMixedFontFamily*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:500)
==3123==    by 0x869F414: gfxUserFontSet::OnLoadComplete(gfxMixedFontFamily*, gfxProxyFontEntry*, unsigned char const*, unsigned int, tag_nsresult) (gfxUserFontSet.cpp:767)
==3123==    by 0x93C4190: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, tag_nsresult, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:219)
==3123==    by 0x7E3DA4E: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsStreamLoader.cpp:101)
==3123==    by 0x90C476A: nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsCrossSiteListenerProxy.cpp:619)
==3123==    by 0x7F0CAC5: mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsHttpChannel.cpp:5203)
==3123==    by 0x7E26F8A: nsInputStreamPump::OnStateStop() (nsInputStreamPump.cpp:721)
==3123==  Address 0x37167550 is 0 bytes inside a block of size 110 alloc'd
==3123==    at 0x4C2B0E0: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==3123==    by 0x96FA8FF: std::vector<unsigned short, std::allocator<unsigned short> >::_M_default_append(unsigned long) (new_allocator.h:104)
==3123==    by 0x9E05E85: ots::ots_post_parse(ots::OpenTypeFile*, unsigned char const*, unsigned long) (stl_vector.h:667)
==3123==    by 0x9E02FF0: (anonymous namespace)::ProcessGeneric(ots::OpenTypeFile*, unsigned int, ots::OTSStream*, unsigned char const*, unsigned long, std::vector<(anonymous namespace)::OpenTypeTable, std::allocator<(anonymous namespace)::OpenTypeTable> > const&, ots::Buffer&) (ots.cc:590)
==3123==    by 0x9E04C27: ots::OTSContext::Process(ots::OTSStream*, unsigned char const*, unsigned long) (ots.cc:396)
==3123==    by 0x869D8D9: gfxProxyFontEntry::SanitizeOpenTypeData(gfxMixedFontFamily*, unsigned char const*, unsigned int, unsigned int&, bool) (gfxUserFontSet.cpp:238)
==3123==    by 0x869E464: gfxProxyFontEntry::LoadFont(gfxMixedFontFamily*, unsigned char const*, unsigned int&) (gfxUserFontSet.cpp:500)
==3123==    by 0x869F414: gfxUserFontSet::OnLoadComplete(gfxMixedFontFamily*, gfxProxyFontEntry*, unsigned char const*, unsigned int, tag_nsresult) (gfxUserFontSet.cpp:767)
==3123==    by 0x93C4190: nsFontFaceLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, tag_nsresult, unsigned int, unsigned char const*) (nsFontFaceLoader.cpp:219)
==3123==    by 0x7E3DA4E: nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsStreamLoader.cpp:101)
==3123==    by 0x90C476A: nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsCrossSiteListenerProxy.cpp:619)
==3123==    by 0x7F0CAC5: mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) (nsHttpChannel.cpp:5203)
Component: Untriaged → Graphics: Text
Flags: needinfo?(jdaggett)
Product: Firefox → Core
Keywords: valgrind
Valgrind command: `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` on 34.0.5 release built for valgrind

Steps taken:
1. Start the browser
2. Open a new tab
3. Visit https://www.webrtc-experiment.com/RTCMultiConnection/MultiRTC/ in two separate tabs
4. Input the same room ID for both instances
5. Enable video and audio on the second tab, and allow access
6. Share my microphone and camera
7. Switch to other tab
8. Enable video and audio on first tab
9. Share camera and microphone
10. Preview camera from second user (this is where the first jump on uninitialized memory occured)
11. Preview microphone from second user
12. Switch tabs
13. Preview camera and mic from first user
14. Exit browser
This is a spurious complaint, delete is actually called at http://mxr.mozilla.org/mozilla-release/source/gfx/ots/src/post.cc#183

182 void ots_post_free(OpenTypeFile *file) {
183   delete file->post;
184 }
This is puzzling. Is ots_post_free getting called twice? Does the same error occur for other tables in the font? The exact same pattern is used across OTS code so I would expect if it occurred for one table it should occur for others.

Jonathan, any ideas why 'post' table handling would be different?
Flags: needinfo?(jdaggett)
(In reply to John Daggett (:jtd) from comment #3)
> This is puzzling. Is ots_post_free getting called twice? Does the same error
> occur for other tables in the font? The exact same pattern is used across
> OTS code so I would expect if it occurred for one table it should occur for
> others.
> 
> Jonathan, any ideas why 'post' table handling would be different?

Nope. AFAICS either there's something broken in the mozalloc implementation of new/delete (but I don't see why that would affect only the 'post' table), or else valgrind is confused.
I believe jsweard said often errors like this are spurious due to inlining of delete-calls-free.
Julian: given comment 2 and comment 5 is this bug invalid/worksforme? Or is there something to fix here?
Flags: needinfo?(jseward)
Yeah, this is a false positive.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jseward)
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.