26837 2009-06-30 05:53:43 -0700 Mismatched malloc()/delete in JSC::ParserArenaDeletable 2009-07-02 05:20:38 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC Linux RESOLVED DUPLICATE 26790 P2 Normal --- 0 martin.zoubek webkit-unassigned oldest_to_newest 129046 0 martin.zoubek 2009-06-30 05:53:43 -0700 When WebKit is compiled with USE_SYSTEM_MALLOC=1, valgrind reports a lot of errors when deleting instances of some classes in JavaScript parser, for example: ==28953== Mismatched free() / delete / delete [] ==28953== at 0x4A19BAC: operator delete(void*) (vg_replace_malloc.c:342) ==28953== by 0x4B55C74: JSC::SubNode::~SubNode() (Nodes.h:867) ==28953== by 0x4C1766D: void WTF::deleteAllValues<JSC::ParserArenaDeletable*, 0ul>(WTF::Vector<JSC::ParserArenaDeletable*, 0ul> const&) (Vector.h:940) ==28953== by 0x4C17423: JSC::ParserArena::~ParserArena() (ParserArena.cpp:35) ==28953== by 0x4C1519E: JSC::ScopeNodeData::~ScopeNodeData() (Nodes.h:1378) ==28953== by 0x4C151F1: void WTF::deleteOwnedPtr<JSC::ScopeNodeData>(JSC::ScopeNodeData*) (OwnPtrCommon.h:44) ==28953== by 0x4C1526F: WTF::OwnPtr<JSC::ScopeNodeData>::clear() (OwnPtr.h:63) ==28953== by 0x4C15296: JSC::ScopeNode::destroyData() (Nodes.h:1408) ==28953== by 0x4C01815: JSC::FunctionBodyNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:2083) ==28953== by 0x4BCD5C1: JSC::FunctionBodyNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1584) ==28953== by 0x4C5DBB3: JSC::JSGlobalData::numericCompareFunction(JSC::ExecState*) (JSGlobalData.cpp:234) ==28953== by 0x4B9C680: JSC::BytecodeGenerator::generate() (BytecodeGenerator.cpp:156) ==28953== by 0x4C03829: JSC::ProgramNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:1893) ==28953== by 0x4BCEE61: JSC::ProgramNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1476) ==28953== by 0x4BB9511: JSC::Interpreter::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (Interpreter.cpp:612) ==28953== by 0x4C3F699: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:67) ==28953== by 0x4B5A2E8: JSEvaluateScript (JSBase.cpp:54) ==28953== by 0x400EC5: main (jstest.c:71) ==28953== Address 0x6c23e98 is 0 bytes inside a block of size 40 alloc'd ==28953== at 0x4A1A39B: malloc (vg_replace_malloc.c:207) ==28953== by 0x4CA79FA: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:225) ==28953== by 0x4B59AA2: JSC::ParserArenaDeletable::operator new(unsigned long, JSC::JSGlobalData*) (NodeConstructors.h:32) ==28953== by 0x4B44C58: makeSubNode(void*, JSC::ExpressionNode*, JSC::ExpressionNode*, bool) (Grammar.y:2045) ==28953== by 0x4B48CEF: jscyyparse(void*) (Grammar.y:541) ==28953== by 0x4C17ABC: JSC::Parser::parse(JSC::JSGlobalData*, int*, JSC::UString*) (Parser.cpp:58) ==28953== by 0x4C17BD8: JSC::Parser::reparseInPlace(JSC::JSGlobalData*, JSC::FunctionBodyNode*) (Parser.cpp:76) ==28953== by 0x4C01654: JSC::FunctionBodyNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:2072) ==28953== by 0x4BCD5C1: JSC::FunctionBodyNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1584) ==28953== by 0x4C5DBB3: JSC::JSGlobalData::numericCompareFunction(JSC::ExecState*) (JSGlobalData.cpp:234) ==28953== by 0x4B9C680: JSC::BytecodeGenerator::generate() (BytecodeGenerator.cpp:156) ==28953== by 0x4C03829: JSC::ProgramNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:1893) ==28953== by 0x4BCEE61: JSC::ProgramNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1476) ==28953== by 0x4BB9511: JSC::Interpreter::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (Interpreter.cpp:612) ==28953== by 0x4C3F699: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:67) ==28953== by 0x4B5A2E8: JSEvaluateScript (JSBase.cpp:54) ==28953== by 0x400EC5: main (jstest.c:71) Problem lies in class ParserArenaDeletable, which has overloaded operator new, which uses fastMalloc, but does not have overloaded operator delete. Attached patch fixes this problem. 129047 1 32057 martin.zoubek 2009-06-30 05:54:55 -0700 Created attachment 32057 WebKit-r45357-ParserArenaDeletable-malloc-free-mismatch.diff 129489 2 martin.zoubek 2009-07-02 05:20:38 -0700 *** This bug has been marked as a duplicate of 26790 *** 32057 2009-06-30 05:54:55 -0700 2009-06-30 05:54:55 -0700 WebKit-r45357-ParserArenaDeletable-malloc-free-mismatch.diff WebKit-r45357-ParserArenaDeletable-malloc-free-mismatch.diff text/plain 1907 martin.zoubek ZGlmZiAtTnJ1cCBXZWJLaXQtcjQ1MzU3LW9yaWcvSmF2YVNjcmlwdENvcmUvcGFyc2VyL05vZGVD b25zdHJ1Y3RvcnMuaCBXZWJLaXQtcjQ1MzU3L0phdmFTY3JpcHRDb3JlL3BhcnNlci9Ob2RlQ29u c3RydWN0b3JzLmgKLS0tIFdlYktpdC1yNDUzNTctb3JpZy9KYXZhU2NyaXB0Q29yZS9wYXJzZXIv Tm9kZUNvbnN0cnVjdG9ycy5oCTIwMDktMDYtMjUgMDk6MjI6NTYuMDAwMDAwMDAwICswMjAwCisr KyBXZWJLaXQtcjQ1MzU3L0phdmFTY3JpcHRDb3JlL3BhcnNlci9Ob2RlQ29uc3RydWN0b3JzLmgJ MjAwOS0wNi0zMCAxNDoxMjo0MS4wMDAwMDAwMDAgKzAyMDAKQEAgLTEsNSArMSw2IEBACiAvKgog ICogIENvcHlyaWdodCAoQykgMjAwOSBBcHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisg KiAgQ29weXJpZ2h0IChDKSAyMDA5IEFjaXNpb24gQlYuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiAg KgogICogIFRoaXMgbGlicmFyeSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlzdHJpYnV0 ZSBpdCBhbmQvb3IKICAqICBtb2RpZnkgaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgTGli cmFyeSBHZW5lcmFsIFB1YmxpYwpAQCAtMzksNiArNDAsMTEgQEAgbmFtZXNwYWNlIEpTQyB7CiAg ICAgICAgIHJldHVybiBmYXN0TWFsbG9jKHNpemUpOwogICAgIH0KIAorICAgIGlubGluZSB2b2lk IFBhcnNlckFyZW5hRGVsZXRhYmxlOjpvcGVyYXRvciBkZWxldGUodm9pZCogcCkKKyAgICB7CisJ ZmFzdEZyZWUocCk7CisgICAgfQorCiAgICAgaW5saW5lIFBhcnNlckFyZW5hUmVmQ291bnRlZDo6 UGFyc2VyQXJlbmFSZWZDb3VudGVkKEpTR2xvYmFsRGF0YSogZ2xvYmFsRGF0YSkKICAgICB7CiAg ICAgICAgIGdsb2JhbERhdGEtPnBhcnNlci0+YXJlbmEoKS5kZXJlZldpdGhBcmVuYShhZG9wdFJl Zih0aGlzKSk7CmRpZmYgLU5ydXAgV2ViS2l0LXI0NTM1Ny1vcmlnL0phdmFTY3JpcHRDb3JlL3Bh cnNlci9Ob2Rlcy5oIFdlYktpdC1yNDUzNTcvSmF2YVNjcmlwdENvcmUvcGFyc2VyL05vZGVzLmgK LS0tIFdlYktpdC1yNDUzNTctb3JpZy9KYXZhU2NyaXB0Q29yZS9wYXJzZXIvTm9kZXMuaAkyMDA5 LTA2LTI1IDA5OjIyOjU2LjAwMDAwMDAwMCArMDIwMAorKysgV2ViS2l0LXI0NTM1Ny9KYXZhU2Ny aXB0Q29yZS9wYXJzZXIvTm9kZXMuaAkyMDA5LTA2LTMwIDE0OjEyOjIyLjAwMDAwMDAwMCArMDIw MApAQCAtNSw2ICs1LDcgQEAKICAqICBDb3B5cmlnaHQgKEMpIDIwMDcgQ2FtZXJvbiBad2FyaWNo IChjd3p3YXJpY2hAdXdhdGVybG9vLmNhKQogICogIENvcHlyaWdodCAoQykgMjAwNyBNYWtzIE9y bG92aWNoCiAgKiAgQ29weXJpZ2h0IChDKSAyMDA3IEVyaWMgU2VpZGVsIDxlcmljQHdlYmtpdC5v cmc+CisgKiAgQ29weXJpZ2h0IChDKSAyMDA5IEFjaXNpb24gQlYuIEFsbCByaWdodHMgcmVzZXJ2 ZWQuCiAgKgogICogIFRoaXMgbGlicmFyeSBpcyBmcmVlIHNvZnR3YXJlOyB5b3UgY2FuIHJlZGlz dHJpYnV0ZSBpdCBhbmQvb3IKICAqICBtb2RpZnkgaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBH TlUgTGlicmFyeSBHZW5lcmFsIFB1YmxpYwpAQCAtMTA5LDYgKzExMCw4IEBAIG5hbWVzcGFjZSBK U0MgewogICAgICAgICAvLyBPYmplY3RzIGNyZWF0ZWQgd2l0aCB0aGlzIHZlcnNpb24gb2YgbmV3 IGFyZSBub3QgZGVsZXRlZCB3aGVuIHRoZSBhcmVuYSBpcyBkZWxldGVkLgogICAgICAgICAvLyBP dGhlciBhcnJhbmdlbWVudHMgbXVzdCBiZSBtYWRlLgogICAgICAgICB2b2lkKiBvcGVyYXRvciBu ZXcoc2l6ZV90KTsKKworICAgICAgICB2b2lkIG9wZXJhdG9yIGRlbGV0ZSh2b2lkKik7CiAgICAg fTsKIAogICAgIGNsYXNzIFBhcnNlckFyZW5hUmVmQ291bnRlZCA6IHB1YmxpYyBSZWZDb3VudGVk PFBhcnNlckFyZW5hUmVmQ291bnRlZD4gewo=