457223 - valgrind: "Invalid read of size 8" from jemalloc [@ arena_run_dalloc]

Status: RESOLVED WORKSFORME

(Core :: Memory Allocator, defect)

Description

[Mats Palmgren (inactive)]

valgrind: "Invalid read of size 8" from jemalloc [@ arena_run_dalloc]

STEPS TO REPRODUCE
1. Build Firefox (x86_64 Linux) with:
      ac_add_options --enable-jemalloc
      ac_add_options --with-valgrind
2. run Firefox

ACTUAL RESULTS
On startup I get this once:

==3791== Invalid read of size 8
==3791==    at 0x40B332: arena_run_dalloc (jemalloc.c:3476)
==3791==    by 0x40BA2C: arena_dalloc_small (jemalloc.c:4296)
==3791==    by 0x40BEB1: arena_dalloc (jemalloc.c:4394)
==3791==    by 0x40BFE8: idalloc (jemalloc.c:4410)
==3791==    by 0x40E75F: free (jemalloc.c:6211)
==3791==    by 0x8A157B8: (within /lib/libc-2.7.so)
==3791==    by 0xB56D400: (within /lib/libselinux.so.1)
==3791==    by 0xB56F021: (within /lib/libselinux.so.1)
==3791==    by 0xB560BBA: (within /lib/libselinux.so.1)
==3791==    by 0x7FEFFF587: ???
==3791==    by 0x400E165: (within /lib/ld-2.7.so)
==3791==    by 0x400E28D: (within /lib/ld-2.7.so)
==3791==    by 0x4000A99: (within /lib/ld-2.7.so)
==3791==    by 0x0: ???
==3791==    by 0x7FEFFF93A: ???
==3791==  Address 0xce02008 is 8 bytes after a block of size 8,192 alloc'd
==3791==    at 0x404698: arena_chunk_init (jemalloc.c:3187)
==3791==    by 0x40AABC: arena_run_alloc (jemalloc.c:3364)
==3791==    by 0x40ACA8: arena_bin_nonfull_run_get (jemalloc.c:3634)
==3791==    by 0x40CA2E: arena_bin_malloc_hard (jemalloc.c:3698)
==3791==    by 0x40CCE0: arena_malloc_small (jemalloc.c:3889)
==3791==    by 0x40CF99: arena_malloc (jemalloc.c:3963)
==3791==    by 0x40D8E6: imalloc (jemalloc.c:3975)
==3791==    by 0x40FE46: malloc (jemalloc.c:5984)
==3791==    by 0x8A15729: (within /lib/libc-2.7.so)
==3791==    by 0xB56D400: (within /lib/libselinux.so.1)
==3791==    by 0xB56F021: (within /lib/libselinux.so.1)
==3791==    by 0xB560BBA: (within /lib/libselinux.so.1)
==3791==    by 0x7FEFFF587: ???
==3791==    by 0x400E165: (within /lib/ld-2.7.so)
==3791==    by 0x400E28D: (within /lib/ld-2.7.so)
==3791==    by 0x4000A99: (within /lib/ld-2.7.so)
==3791==    by 0x0: ???
==3791==    by 0x7FEFFF93A: ???
==3791==

Comment 1

[Mats Palmgren (inactive)]

Attachment: Log file with MALLOC_OPTIONS=U

I recompiled jemalloc with "#undef MALLOC_PRODUCTION" and produced this
log file with MALLOC_OPTIONS=U.  It appears there was only one block
allocated so far and this is a valid free() of it.

Let me know if there is anything else I can do to help.

Comment 2

[Bob Clary [:bc] (inactive)]

on 32bit linux I see:

==444== Invalid read of size 4
==444==    at 0x80575F4: arena_run_dalloc (jemalloc.c:3630)
==444==    by 0x805A0E2: arena_dalloc_small (jemalloc.c:4450)
==444==    by 0x805A7E6: arena_dalloc (jemalloc.c:4548)
==444==    by 0x805A946: idalloc (jemalloc.c:4564)
==444==    by 0x805E0BE: free (jemalloc.c:6387)
==444==    by 0xC71F9F: (within /lib/libselinux.so.1)
==444==    by 0xC7457C: (within /lib/libselinux.so.1)
==444==    by 0xC628E3: (within /lib/libselinux.so.1)
==444==    by 0xA73BDB: call_init (in /lib/ld-2.10.1.so)
==444==    by 0xA73D40: _dl_init (in /lib/ld-2.10.1.so)
==444==    by 0xA6488E: (within /lib/ld-2.10.1.so)
==444==  Address 0x4706004 is not stack'd, malloc'd or (recently) free'd

Comment 3

[Samuel Sidler (old account; do not CC)]

We really need an owner here...

Comment 4

[Daniel Veditz [:dveditz]]

could this be related to the area_dalloc_small topcrash in bug 519356?

Comment 5

[Mats Palmgren (inactive)]

Daniel, I think they're unrelated; IIRC, this bug occurred extremely early
in the startup; whereas bug 519356 seems to involve allocation of some object
in Mozilla code.

I can't reproduce this bug anymore in a local trunk debug build, x86_64 Linux.

Bob, can you reproduce it?  If not, I think we can resolve it WFM.

Comment 6

[Bob Clary [:bc] (inactive)]

I think my running valgrind with jemalloc enabled resulted in bogus messages. I say lets WFM it.