Mismatched malloc vs delete[] in mozilla::gfx::AlphaBoxBlur::~AlphaBoxBlur()

RESOLVED FIXED in mozilla18

Status

()

RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jseward, Assigned: joe)

Tracking

({valgrind})

Trunk
mozilla18
ARM
Android
valgrind
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Seen on all Fennec startups on NexusS/ICS.  Could be construed as a
potential crasher in some configurations since the allocating and
freeing DSOs are different (libc.so to allocate, libstdc++.so to
deallocate.)

Mismatched free() / delete / delete []
   at 0x4805D28: operator delete[](void*) (vg_replace_malloc.c:527)
   by 0x3242E02F: mozilla::gfx::AlphaBoxBlur::~AlphaBoxBlur() (Blur.cpp:408)
   by 0x321FAB15: gfxAlphaBoxBlur::~gfxAlphaBoxBlur() (gfxBlur.cpp:23)
   by 0x319A8D39: nsTextFrame::PaintOneShadow(unsigned int, unsigned int, nsCSSShadowItem*, PropertyProvider*, nsRect const&, 
gfxPoint const&, gfxPoint const&, gfxContext*, unsigned int const&, nsCharClipDisplayItem::ClipEdges const&, int, gfxRect&) (nsCSSRendering.h:553)
   by 0x319A9BE1: nsTextFrame::PaintText(nsRenderingContext*, nsPoint, nsRect const&, nsCharClipDisplayItem const&, nsTextFram
e::DrawPathCallbacks*) (nsTextFrameThebes.cpp:5885)
   by 0x319A9CA1: nsDisplayText::Paint(nsDisplayListBuilder*, nsRenderingContext*) (nsTextFrameThebes.cpp:4576)
   by 0x318F3C11: mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, 
nsIntRegion const&, void*) (FrameLayerBuilder.cpp:3238)
   by 0x3222F6FB: mozilla::layers::BasicTiledLayerBuffer::PaintThebes(mozilla::layers::BasicTiledThebesLayer*, nsIntRegion con
st&, nsIntRegion const&, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*) (BasicTiledThebesLayer.cpp:107)
   by 0x3222FB57: mozilla::layers::BasicTiledThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::
layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) (BasicTiledThebesLayer.cpp:335)
   by 0x32226D9B: mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) (BasicL
ayerManager.cpp:813)
   by 0x32226241: mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) (BasicLayerManager.cpp:920)
   by 0x32226D27: mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) (BasicLayerManager.cpp:828)

 Address 0x2850c458 is 0 bytes inside a block of size 5,920 alloc'd
   at 0x4807648: malloc (vg_replace_malloc.c:273)
   by 0x3242E4A3: mozilla::gfx::AlphaBoxBlur::AlphaBoxBlur(mozilla::gfx::Rect const&, mozilla::gfx::IntSize const&, mozilla::gfx::IntSize const&, mozilla::gfx::Rect const*, mozilla::gfx::Rect const*) (Blur.cpp:384)
   by 0x321FA9EB: gfxAlphaBoxBlur::Init(gfxRect const&, nsIntSize const&, nsIntSize const&, gfxRect const*, gfxRect const*) (gfxBlur.cpp:52)
   by 0x3190BCFD: nsContextBoxBlur::Init(nsRect const&, int, int, int, gfxContext*, nsRect const&, gfxRect const*, unsigned int) (nsCSSRendering.cpp:4552)
   by 0x319A8BB9: nsTextFrame::PaintOneShadow(unsigned int, unsigned int, nsCSSShadowItem*, PropertyProvider*, nsRect const&, gfxPoint const&, gfxPoint const&, gfxContext*, unsigned int const&, nsCharClipDisplayItem::ClipEdges const&, int, gfxRect&) (nsTextFrameThebes.cpp:5353)
   by 0x319A9BE1: nsTextFrame::PaintText(nsRenderingContext*, nsPoint, nsRect const&, nsCharClipDisplayItem const&, nsTextFrame::DrawPathCallbacks*) (nsTextFrameThebes.cpp:5885)
   by 0x319A9CA1: nsDisplayText::Paint(nsDisplayListBuilder*, nsRenderingContext*) (nsTextFrameThebes.cpp:4576)
   by 0x318F3C11: mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) (FrameLayerBuilder.cpp:3238)
   by 0x3222F6FB: mozilla::layers::BasicTiledLayerBuffer::PaintThebes(mozilla::layers::BasicTiledThebesLayer*, nsIntRegion const&, nsIntRegion const&, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*) (BasicTiledThebesLayer.cpp:107)
   by 0x3222FB57: mozilla::layers::BasicTiledThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) (BasicTiledThebesLayer.cpp:335)
   by 0x32226D9B: mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) (BasicLayerManager.cpp:813)
   by 0x32226241: mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) (BasicLayerManager.cpp:920)


// same again (truncated), complained about by V's DSO consistency checker

Mismatched DSOs: allocated by libc.so.*, freed by libstdc++*
   at 0x4805D28: operator delete[](void*) (vg_replace_malloc.c:527)
   by 0x3242E02F: mozilla::gfx::AlphaBoxBlur::~AlphaBoxBlur() (Blur.cpp:408)
   [...]
 Address 0x2850c458 is 0 bytes inside a block of size 5,920 alloc'd
   at 0x4807648: malloc (vg_replace_malloc.c:273)
   by 0x3242E4A3: mozilla::gfx::AlphaBoxBlur::AlphaBoxBlur(mozilla::gfx::Rect
   [...]
(Assignee)

Updated

6 years ago
Component: Graphics: Layers → Graphics
(Assignee)

Comment 1

6 years ago
Created attachment 668285 [details] [diff] [review]
fix
Assignee: nobody → joe
Attachment #668285 - Flags: review?(jmuizelaar)
Attachment #668285 - Flags: review?(jmuizelaar) → review+
(Reporter)

Updated

6 years ago
Keywords: checkin-needed, valgrind
https://hg.mozilla.org/integration/mozilla-inbound/rev/9c483486bf39

Please make sure your patches contain all the needed commit information next time you request checkin. Makes life easier :)
Flags: in-testsuite-
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/9c483486bf39
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
(Assignee)

Comment 4

6 years ago
(In reply to Ryan VanderMeulen from comment #2)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/9c483486bf39
> 
> Please make sure your patches contain all the needed commit information next
> time you request checkin. Makes life easier :)

I intended to check this in myself; Julian set checkin-needed and I didn't notice! :)
(Assignee)

Updated

6 years ago
Duplicate of this bug: 798568
You need to log in before you can comment on or make changes to this bug.