Bug 89358

If somebody has time to debug this, compile WebKit with --disable-fast-malloc.

Let's see if Mark has an insight into this. I think the problem is LLVMPipe is using free instead of delete for memory allocated with new?

What call is std::string::reserve making that results in malloc_printerr being called?

I'm guessing this would be useful. Valgrind output of the crash:

==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D445D7: std::string::reserve(unsigned long) (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x20D44864: std::string::append(char const*, unsigned long) (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x2611D1AD: llvm::operator+=(std::string&, llvm::StringRef) (StringRef.h:464)
==16286==    by 0x2618E2E4: llvm::sys::getHostTriple() (Host.inc:50)
==16286==    by 0x259B10F9: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:38)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==    by 0x259B06DD: LLVMCreateJITCompilerForModule (ExecutionEngineBindings.cpp:129)
==16286==    by 0x259B07E9: LLVMCreateJITCompiler (ExecutionEngineBindings.cpp:162)
==16286==    by 0x25933194: init_gallivm_state (lp_bld_init.c:257)
==16286==    by 0x259334EB: gallivm_create (lp_bld_init.c:429)
==16286==    by 0x2588BA00: draw_create_context (draw_context.c:82)
==16286==  Address 0x274aa4d8 is not stack'd, malloc'd or (recently) free'd
==16286== 
==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D438CF: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x2618E3E0: llvm::sys::getHostTriple() (Host.inc:65)
==16286==    by 0x259B10F9: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:38)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==    by 0x259B06DD: LLVMCreateJITCompilerForModule (ExecutionEngineBindings.cpp:129)
==16286==    by 0x259B07E9: LLVMCreateJITCompiler (ExecutionEngineBindings.cpp:162)
==16286==    by 0x25933194: init_gallivm_state (lp_bld_init.c:257)
==16286==    by 0x259334EB: gallivm_create (lp_bld_init.c:429)
==16286==    by 0x2588BA00: draw_create_context (draw_context.c:82)
==16286==    by 0x2588BAA8: draw_create (draw_context.c:116)
==16286==    by 0x255B99DB: nv50_create (nv50_context.c:146)
==16286==  Address 0x274a9380 is not stack'd, malloc'd or (recently) free'd
==16286== 
==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D438CF: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x259B112B: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:38)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==    by 0x259B06DD: LLVMCreateJITCompilerForModule (ExecutionEngineBindings.cpp:129)
==16286==    by 0x259B07E9: LLVMCreateJITCompiler (ExecutionEngineBindings.cpp:162)
==16286==    by 0x25933194: init_gallivm_state (lp_bld_init.c:257)
==16286==    by 0x259334EB: gallivm_create (lp_bld_init.c:429)
==16286==    by 0x2588BA00: draw_create_context (draw_context.c:82)
==16286==    by 0x2588BAA8: draw_create (draw_context.c:116)
==16286==    by 0x255B99DB: nv50_create (nv50_context.c:146)
==16286==    by 0x2562A8E4: st_api_create_context (st_manager.c:631)
==16286==  Address 0x274ab6c8 is not stack'd, malloc'd or (recently) free'd
==16286== 
==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D438CF: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x259B16AD: llvm::Triple::~Triple() (Triple.h:41)
==16286==    by 0x25AA0571: createX86MCCodeGenInfo(llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (X86MCTargetDesc.cpp:375)
==16286==    by 0x25C6725B: llvm::Target::createMCCodeGenInfo(llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) const (TargetRegistry.h:281)
==16286==    by 0x25C65080: llvm::LLVMTargetMachine::LLVMTargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (LLVMTargetMachine.cpp:115)
==16286==    by 0x259B1A9B: llvm::X86TargetMachine::X86TargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model, bool) (X86TargetMachine.cpp:73)
==16286==    by 0x259B1977: llvm::X86_64TargetMachine::X86_64TargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (X86TargetMachine.cpp:61)
==16286==    by 0x259B3489: llvm::RegisterTargetMachine<llvm::X86_64TargetMachine>::Allocator(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (TargetRegistry.h:1015)
==16286==    by 0x259B15C0: llvm::Target::createTargetMachine(llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) const (TargetRegistry.h:337)
==16286==    by 0x259B1478: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:90)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==  Address 0x274ab620 is not stack'd, malloc'd or (recently) free'd
==16286== 
==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D438CF: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x259B16AD: llvm::Triple::~Triple() (Triple.h:41)
==16286==    by 0x25AA03E0: createX86MCAsmInfo(llvm::Target const&, llvm::StringRef) (X86MCTargetDesc.cpp:326)
==16286==    by 0x25C6720E: llvm::Target::createMCAsmInfo(llvm::StringRef) const (TargetRegistry.h:272)
==16286==    by 0x25C6509F: llvm::LLVMTargetMachine::LLVMTargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (LLVMTargetMachine.cpp:116)
==16286==    by 0x259B1A9B: llvm::X86TargetMachine::X86TargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model, bool) (X86TargetMachine.cpp:73)
==16286==    by 0x259B1977: llvm::X86_64TargetMachine::X86_64TargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (X86TargetMachine.cpp:61)
==16286==    by 0x259B3489: llvm::RegisterTargetMachine<llvm::X86_64TargetMachine>::Allocator(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (TargetRegistry.h:1015)
==16286==    by 0x259B15C0: llvm::Target::createTargetMachine(llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) const (TargetRegistry.h:337)
==16286==    by 0x259B1478: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:90)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==  Address 0x274ab5e8 is not stack'd, malloc'd or (recently) free'd
==16286== 
==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D438CF: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x259B16AD: llvm::Triple::~Triple() (Triple.h:41)
==16286==    by 0x25A9FC59: llvm::X86_MC::getDwarfRegFlavour(llvm::StringRef, bool) (X86MCTargetDesc.cpp:134)
==16286==    by 0x25A690A6: llvm::X86RegisterInfo::X86RegisterInfo(llvm::X86TargetMachine&, llvm::TargetInstrInfo const&) (X86RegisterInfo.cpp:59)
==16286==    by 0x25A500BB: llvm::X86InstrInfo::X86InstrInfo(llvm::X86TargetMachine&) (X86InstrInfo.cpp:93)
==16286==    by 0x259B19D7: llvm::X86_64TargetMachine::X86_64TargetMachine(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (X86TargetMachine.cpp:61)
==16286==    by 0x259B3489: llvm::RegisterTargetMachine<llvm::X86_64TargetMachine>::Allocator(llvm::Target const&, llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) (TargetRegistry.h:1015)
==16286==    by 0x259B15C0: llvm::Target::createTargetMachine(llvm::StringRef, llvm::StringRef, llvm::StringRef, llvm::Reloc::Model, llvm::CodeModel::Model) const (TargetRegistry.h:337)
==16286==    by 0x259B1478: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:90)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==    by 0x259B06DD: LLVMCreateJITCompilerForModule (ExecutionEngineBindings.cpp:129)
==16286==  Address 0x274ab540 is not stack'd, malloc'd or (recently) free'd
==16286== 
==16286== Invalid free() / delete / delete[] / realloc()
==16286==    at 0x4C2972C: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16286==    by 0x20D438CF: std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() (in /usr/lib/libstdc++.so.6.0.17)
==16286==    by 0x259B16AD: llvm::Triple::~Triple() (Triple.h:41)
==16286==    by 0x259B1498: llvm::EngineBuilder::selectTarget(llvm::Module*, llvm::StringRef, llvm::StringRef, llvm::SmallVectorImpl<std::string> const&, llvm::Reloc::Model, llvm::CodeModel::Model, std::string*) (TargetSelect.cpp:92)
==16286==    by 0x259A251A: llvm::EngineBuilder::create() (ExecutionEngine.cpp:470)
==16286==    by 0x259B06DD: LLVMCreateJITCompilerForModule (ExecutionEngineBindings.cpp:129)
==16286==    by 0x259B07E9: LLVMCreateJITCompiler (ExecutionEngineBindings.cpp:162)
==16286==    by 0x25933194: init_gallivm_state (lp_bld_init.c:257)
==16286==    by 0x259334EB: gallivm_create (lp_bld_init.c:429)
==16286==    by 0x2588BA00: draw_create_context (draw_context.c:82)
==16286==    by 0x2588BAA8: draw_create (draw_context.c:116)
==16286==    by 0x255B99DB: nv50_create (nv50_context.c:146)
==16286==  Address 0x274ab690 is not stack'd, malloc'd or (recently) free'd

the C++ string stuff is calling operator delete, however it calls the delete from libstdc++, but operator new is pointing to the one from webkitgtk3.

I do wonder if its a bug in the linker but I have to find someone who knows how the linker should work first.

LD_DEBUG=true gnome-control-center prints out a very long log (135MB here).

but in it you can see where it binds the mangled "operater new" _Znam to libwebkitgtk and the mangled "operator delete" _ZdlPv to libstdc++, as the symbols are lazily resolved. LD_BIND_NOW also works around it.

I've noticed the QT version avoids replacing  the global malloc so maybe the gtk version should do the same.

(In reply to comment #6)
> I've noticed the QT version avoids replacing  the global malloc so maybe the gtk version should do the same.

Agreed here, I don't see any reason why we would want to do this. Just a matter of adding GTK to the global fastmalloc new thing in Platform.h I guess.

Created attachment 148142 [details]
Patch

Created attachment 148145 [details]
Patch

Comment on attachment 148145 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=148145&action=review

> Source/WTF/wtf/Platform.h:778
> -#if PLATFORM(QT)
> -/* We must not customize the global operator new and delete for the Qt port. */
> +#if PLATFORM(QT) || PLATFORM(GTK)
>  #define ENABLE_GLOBAL_FASTMALLOC_NEW 0
>  #if !OS(UNIX)
>  #define USE_SYSTEM_MALLOC 1

This also has the side effect of turning off TcMalloc for Windows...

*** Bug 89469 has been marked as a duplicate of this bug. ***

(In reply to comment #10)
 > Source/WTF/wtf/Platform.h:778
> > -#if PLATFORM(QT)
> > -/* We must not customize the global operator new and delete for the Qt port. */
> > +#if PLATFORM(QT) || PLATFORM(GTK)
> >  #define ENABLE_GLOBAL_FASTMALLOC_NEW 0
> >  #if !OS(UNIX)
> >  #define USE_SYSTEM_MALLOC 1
> 
> This also has the side effect of turning off TcMalloc for Windows...

So that would be an r-, no?

(In reply to comment #12)

> So that would be an r-, no?

I wasn't sure in this case if it was an accident or not.

I assumed this would make sense for us if it makes sense for Qt. We can add a separate ifdef if it's not desirable, though.

(In reply to comment #14)
> I assumed this would make sense for us if it makes sense for Qt. We can add a separate ifdef if it's not desirable, though.

It's probably safe either way, but perhaps for completeness it might be good to understand why Qt turns it off for Windows. Doesn't Safari use TCMalloc on Windows?

(In reply to comment #15)

> It's probably safe either way, but perhaps for completeness it might be good to understand why Qt turns it off for Windows. Doesn't Safari use TCMalloc on Windows?

In fact, it might be best to only disable global new/delete override for GTK+ now and think about whether to disable TCMalloc completely for non-Unix platforms later.

Created attachment 148772 [details]
Patch

Sure, makes sense =)

Comment on attachment 148772 [details]
Patch

Thanks!

Committed r121018: <http://trac.webkit.org/changeset/121018>