Closed Bug 815288 Opened 12 years ago Closed 9 years ago

Valgrind reports allocator mismatch in nsBufferedStream::Close()

Categories

(Core :: Networking, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: bjacob, Unassigned)

References

Details

Running on linux 64bit in valgrind, with jemalloc ( https://blog.mozilla.org/jseward/2012/06/05/valgrind-now-supports-jemalloc-builds-directly/ ), I get this: ==29143== Mismatched free() / delete / delete [] ==29143== at 0x402AD2F: operator delete[](void*) (vg_replace_malloc.c:515) ==29143== by 0x6DABE05: nsBufferedStream::Close() (nsBufferedStreams.cpp:87) ==29143== by 0x6DABAD3: nsBufferedStream::~nsBufferedStream() (nsBufferedStreams.cpp:60) ==29143== by 0x6DAB536: nsBufferedInputStream::~nsBufferedInputStream() (in /hack/mozilla-central/obj-firefox-debug/toolkit/library/libxul.so) ==29143== by 0x6DAB569: nsBufferedInputStream::~nsBufferedInputStream() (nsBufferedStreams.h:73) ==29143== by 0x6DABC3D: nsBufferedStream::Release() (in /hack/mozilla-central/obj-firefox-debug/toolkit/library/libxul.so) ==29143== by 0x6DAC2DB: nsBufferedInputStream::Release() (nsBufferedStreams.cpp:249) ==29143== by 0x6D51D5E: nsCOMPtr_base::~nsCOMPtr_base() (nsCOMPtr.h:494) ==29143== by 0x75DAF2F: nsSyncLoadService::PushSyncStreamToListener(nsIInputStream*, nsIStreamListener*, nsIChannel*) (nsSyncLoadService.cpp:386) ==29143== by 0x732CD91: mozilla::css::Loader::LoadSheet(mozilla::css::SheetLoadData*, mozilla::css::StyleSheetState) (Loader.cpp:1426) ==29143== by 0x7330686: mozilla::css::Loader::LoadChildSheet(nsCSSStyleSheet*, nsIURI*, nsMediaList*, mozilla::css::ImportRule*) (Loader.cpp:2075) ==29143== by 0x73413D9: (anonymous namespace)::CSSParserImpl::ProcessImport(nsString const&, nsMediaList*, void (*)(mozilla::css::Rule*, void*), void*) (nsCSSParser.cpp:1933) ==29143== Address 0x5d62710 is 0 bytes inside a block of size 15,478 alloc'd ==29143== at 0x402C5DE: malloc (vg_replace_malloc.c:271) ==29143== by 0x4044099: moz_malloc (mozalloc.cpp:64) ==29143== by 0x6DAB3C8: operator new[](unsigned long, mozilla::fallible_t const&) (mozalloc.h:274) ==29143== by 0x6DABD73: nsBufferedStream::Init(nsISupports*, unsigned int) (nsBufferedStreams.cpp:76) ==29143== by 0x6DAC67A: nsBufferedInputStream::Init(nsIInputStream*, unsigned int) (nsBufferedStreams.cpp:285) ==29143== by 0x6EC4B3A: NS_NewBufferedInputStream(nsIInputStream**, nsIInputStream*, unsigned int) (nsNetUtil.h:1048) ==29143== by 0x75DACB4: nsSyncLoadService::PushSyncStreamToListener(nsIInputStream*, nsIStreamListener*, nsIChannel*) (nsSyncLoadService.cpp:348) ==29143== by 0x732CD91: mozilla::css::Loader::LoadSheet(mozilla::css::SheetLoadData*, mozilla::css::StyleSheetState) (Loader.cpp:1426) ==29143== by 0x7330686: mozilla::css::Loader::LoadChildSheet(nsCSSStyleSheet*, nsIURI*, nsMediaList*, mozilla::css::ImportRule*) (Loader.cpp:2075) ==29143== by 0x73413D9: (anonymous namespace)::CSSParserImpl::ProcessImport(nsString const&, nsMediaList*, void (*)(mozilla::css::Rule*, void*), void*) (nsCSSParser.cpp:1933) ==29143== by 0x7341217: (anonymous namespace)::CSSParserImpl::ParseImportRule(void (*)(mozilla::css::Rule*, void*), void*) (nsCSSParser.cpp:1904) ==29143== by 0x733FE29: (anonymous namespace)::CSSParserImpl::ParseAtRule(void (*)(mozilla::css::Rule*, void*), void*, bool) (nsCSSParser.cpp:1531) ==29143== Is Valgrind just being confused here by the operator new[](unsigned long, mozilla::fallible_t const&) ? Or is this real? Using Valgrind SVN r13059
> Is Valgrind just being confused here by the operator new[](unsigned long, > mozilla::fallible_t const&) ? Yes. > Or is this real? No. Problem has occurred because V expects the nothrow [] operator to be called 'operator new(unsigned long, std::nothrow_t const&)' (_ZnwmRKSt9nothrow_t when mangled). See coregrind/m_replacemalloc/vg_replacemalloc.c:327. It therefore fails to intercept the allocation call, which calls onwards in the normal way to moz_malloc and then plain malloc, which it does intercept. Hence it winds up believing (wrongly) that the block is allocated by malloc but freed by delete []. Not sure what the right fix is here. Is there a 'operator new(unsigned long, std::nothrow_t const&)' that got inlined somehow? Adding an intercept for 'new[](unsigned long, mozilla::fallible_t const&)' would fix it, but I am reluctant to add intercepts for mozilla-specific allocators in the stock V sources.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.