Freeing mismatched memory in free

VERIFIED FIXED

Status

()

Core
Networking: HTTP
--
critical
VERIFIED FIXED
16 years ago
16 years ago

People

(Reporter: stephend@netscape.com (gone - use stephen.donner@gmail.com instead), Assigned: dougt)

Tracking

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Here are the steps that I did:

1.  With mailnews, subscribe to 
news://news.mozilla.org/netscape.public.mozilla.mail-news.
2.  Once you downloaded the messages, quit (don't do this under Purify).
3.  In Purify, launch mozilla -news, and in the browser, 
type 'news://news.mozilla.org/netscape.public.mozilla.mail-news'.
4.  Wait for it to switch windows.
5.  Shut down the extra mail window (we don't focus the window you opened up in 
the 1st part of step #3.
6.  Lastly, shutdown the browser.

[E] FMM: Freeing mismatched memory in free {2 occurrences}
    Address 0x0a3c75b8 points into a C++ new block in heap 0x02720000
    Location of free attempt
    free           [MSVCRT.DLL]
    PR_Free        [prmem.c:498]
    ReleaseDestructorDestroyHandler [nsProxyRelease.h:59]
    
    static void PR_CALLBACK
    ReleaseDestructorDestroyHandler(PLEvent *self)
 => {
        PR_DELETE(self);
    }
    
    PL_DestroyEvent [plevent.c:633]
        printf("$$$ running avg (%d) \n", PR_IntervalToMilliseconds
(s_totalTime/s_eventCount));
    #endif
    
 =>     (*self->destructor)(self);
    }
    
    PR_IMPLEMENT(void)
    PL_HandleEvent [plevent.c:607]
        else {
          /* For asynchronous events, they're destroyed by the event-handler
             thread. See PR_PostSynchronousEvent. */
 =>       PL_DestroyEvent(self);
        }
    }
    #ifdef PL_POST_TIMINGS
    ???            [ip=0x04493b08]
    PL_ProcessPendingEvents [plevent.c:526]
            break;
    
          PR_LOG(event_lm, PR_LOG_DEBUG, ("$$$ processing event"));
 =>       PL_HandleEvent(event);
          PR_LOG(event_lm, PR_LOG_DEBUG, ("$$$ done processing event"));
        }
    
    nsEventQueueImpl::ProcessPendingEvents(void) [nsEventQueue.cpp:388]
        gEventQueueLogThread = PR_GetCurrentThread();
      }
    #endif
 =>   PL_ProcessPendingEvents(mEventQueue);
    
      // if we're no longer accepting events and there are still events in the
      // queue, then process remaining events.
    NS_ShutdownXPCOM [nsXPComInit.cpp:562]
        nsServiceManager::ShutdownGlobalServiceManager(nsnull);
    
        if (currentQ) {
 =>         currentQ->ProcessPendingEvents();
            currentQ = 0;
        }
    
    main           [nsAppRunner.cpp:1813]
    Allocation location
    new(UINT)      [MSVCRT.DLL]
    NS_ProxyRelease [nsProxyRelease.h:83]
          }
       }
    
 =>    PLEvent *ev = new PLEvent;
       if (!ev) {
          NS_ERROR("failed to allocate PLEvent");
          // we do not release doomed here since it may cause a delete on the 
the
    nsSocketRequest::OnStop(void) [nsSocketTransport.cpp:2680]
                    nsISupports* doomed = mContext.get();
                    NS_ADDREF(doomed);
                    mContext = 0;
 =>                 NS_ProxyRelease(mEventQ, doomed);
                }
                else {
                    mContext = 0;
    nsSocketWriteRequest::OnStop(void) [nsSocketTransport.cpp:2944]
    nsSocketWriteRequest::OnStop()
    {
        mProvider = 0;
 =>     return nsSocketRequest::OnStop();
    }
    
    //
    nsSocketTransport::CompleteAsyncRead(void) [nsSocketTransport.cpp:660]
        mReadRequest = nsnull;
    
        PR_ExitMonitor(mMonitor);
 =>     readRequest->OnStop();
        PR_EnterMonitor(mMonitor);
    
        NS_RELEASE(readRequest);
    nsSocketTransport::Process(short) [nsSocketTransport.cpp:499]
                        mHostName, mPort, this));
        
                    if (mReadRequest)
     =>                 CompleteAsyncRead();
        
                    if (mWriteRequest)
                        CompleteAsyncWrite();
    nsSocketTransportService::ProcessWorkQ(void) 
[nsSocketTransportService.cpp:306]
    nsSocketTransportService::Run(void) [nsSocketTransportService.cpp:552]
    nsThread::Main(void *) [nsThread.cpp:120]
    PR_NativeRunThread [pruthr.c:433]
    TlsSetValue    [KERNEL32.dll]
Summary: Freeing mismatched memory in free → Freeing mismatched memory in free

Comment 1

16 years ago
fallout from dougt's NS_ProxyRelease patch i suspect.
Assignee: darin → dougt
(Assignee)

Comment 2

16 years ago
yup.  patch coming up.
QA Contact: tever → stephend
(Assignee)

Comment 3

16 years ago
Created attachment 86287 [details] [diff] [review]
fixes up memory allocation/free mismatch

Comment 4

16 years ago
Comment on attachment 86287 [details] [diff] [review]
fixes up memory allocation/free mismatch

sr=darin
Attachment #86287 - Flags: superreview+
Ran your patch under Purify - it fixes this, thanks!
(Assignee)

Comment 6

16 years ago
Checking in nsProxyRelease.h;
/cvsroot/mozilla/xpcom/proxy/public/nsProxyRelease.h,v  <--  nsProxyRelease.h
new revision: 1.3; previous revision: 1.2
done
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Verified - I really appreciate the quick turnaround on this!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.