626068 - Mismatched free() / delete / delete [] @ mozilla::layers::LayerProgram::~LayerProgram() (LayerManagerOGLProgram.h:395) during startup

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Bob Clary [:bc] (inactive)]

Testing cross fuzz on Mac with valgrind I saw this 4 times during startup before the cross fuzz page loaded. I haven't tried to reproduce yet. This was with a build from 2011-01-14

==66122== Mismatched free() / delete / delete []
==66122==    at 0x17712: operator delete(void*) (vg_replace_malloc.c:387)
==66122==    by 0xCBC63D0: BindingTable::~BindingTable() (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib)
==66122==    by 0xCBCB28E: TGenericLinker::~TGenericLinker() (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib)
==66122==    by 0xCB84B0B: ShDestruct (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib)
==66122==    by 0x259E0286: gleFreeProgramObject (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine)
==66122==    by 0x258E6B6E: gleDeleteHashNameAndObject (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine)
==66122==    by 0x2594317D: glDeleteObjectARB_Exec (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine)
==66122==    by 0xC98187D: glDeleteProgram (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib)
==66122==    by 0x52CB8DA: mozilla::gl::GLContext::fDeleteProgram(unsigned int) (GLContext.h:1958)
==66122==    by 0x64BD6EB: mozilla::layers::LayerManagerOGLProgram::~LayerManagerOGLProgram() (LayerManagerOGLProgram.h:136)
==66122==    by 0x64BD8FD: mozilla::layers::LayerProgram::~LayerProgram() (LayerManagerOGLProgram.h:395)
==66122==    by 0x64BDAA1: mozilla::layers::ColorTextureLayerProgram::~ColorTextureLayerProgram() (LayerManagerOGLProgram.h:507)
==66122==  Address 0x227dc980 is 0 bytes inside a block of size 512 alloc'd
==66122==    at 0x16EC5: operator new[](unsigned long) (vg_replace_malloc.c:305)
==66122==    by 0xCBC6680: BindingTable::BindingTable(unsigned int) (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib)
==66122==    by 0xCBCB47E: TGenericLinker::TGenericLinker(int) (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib)
==66122==    by 0xCBCB593: ConstructLinker(int) (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGLProgrammability.dylib)
==66122==    by 0x259DFCC4: gleCreateProgramObject (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine)
==66122==    by 0x25942FE4: glCreateProgramObjectARB_Exec (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Resources/GLEngine.bundle/GLEngine)
==66122==    by 0xC9817E6: glCreateProgram (in /System/Library/Frameworks/OpenGL.framework/Versions/A/Libraries/libGL.dylib)
==66122==    by 0x52F13D0: mozilla::gl::GLContext::fCreateProgram() (GLContext.h:1914)
==66122==    by 0x64BCA66: mozilla::layers::LayerManagerOGLProgram::CreateProgram(char const*, char const*) (LayerManagerOGLProgram.h:277)
==66122==    by 0x64BCF9D: mozilla::layers::LayerProgram::Initialize(char const*, char const*) (LayerManagerOGLProgram.h:418)
==66122==    by 0x64BD0B0: mozilla::layers::ColorTextureLayerProgram::Initialize(char const*, char const*) (LayerManagerOGLProgram.h:526)
==66122==    by 0x64B7DE5: mozilla::layers::LayerManagerOGL::Initialize(mozilla::gl::GLContext*) (LayerManagerOGL.cpp:233)

Adding configure options from
/work/mozilla/builds/hg.mozilla.org/sisyphus/mozconfig/2.0.0/mozconfig-firefox-darwin-intel32-debug:
  --with-macos-sdk=/Developer/SDKs/MacOSX10.5.sdk
  --enable-application=browser
  --enable-debug
  --disable-optimize
  --enable-debug-symbols=-gdwarf-2
  --enable-libxul
  --disable-install-strip
  --enable-tests
  --enable-logrefcnt
  --with-valgrind=yes
  --enable-valgrind=yes
  --enable-accessibility
  --disable-installer
  --enable-official-branding

Comment 1

[Bob Clary [:bc] (inactive)]

fyi, this was reproducible on a fresh start loading a blank home page. The command used was:

valgrind --dsymutil=yes --tool=memcheck --smc-check=all --trace-children=yes --track-origins=yes ...

Found extension GL_ARB_texture_non_power_of_two
Found extension GL_ARB_pixel_buffer_object
Found extension GL_EXT_framebuffer_object
Found extension GL_ARB_texture_rectangle
Found extension GL_EXT_bgra
OpenGL vendor ('NVIDIA Corporation') recognized as: NVIDIA

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Looks like a bug inside mac system libraries (and a potential memory leak too, if the thing its calling delete instead of delete[] on has destructors).

Comment 3

[Benjamin Smedberg]

Who wants to file a Radar ticket? Or maybe clegnitto knows the best person to email directly about the issue.

Comment 4

[Jesse Ruderman]

Allocator mismatches are usually not security holes.

Comment 5

[Josh Aas]

Filed Apple bug 11002645 about this.

Comment 6

[Josh Aas]

I don't think this needs to remain security-sensitive.

Comment 7

[Josh Aas]

Apple believes this bug was fixed in Mac OS X 10.7.3.

Comment 8

[Jesse Ruderman]

What about 10.6 -- unaffected, affected, fixed?

Comment 9

[Josh Aas]

No word from Apple on 10.6, the note I got only said they believed it was fixed in 10.7.

Comment 10

[Kelsey Gilbert [:jgilbert]]

If we still support 10.6, and we don't know if it's fixed, I wouldn't think we should mark this Fixed.

Comment 11

[Jesse Ruderman]

We're unlikely to work around this, except by adding 10.6-specific Valgrind suppressions.  It's Apple's bug and it's fixed on their current release.  So FIXED seems appropriate to me.

Comment 12

[Bob Clary [:bc] (inactive)]

Definitely not reproducible on 10.7.3. I can check a 10.6 machine during some idle time tomorrow.