When WebKit is compiled with USE_SYSTEM_MALLOC=1, valgrind reports a lot of errors when deleting instances of some classes in JavaScript parser, for example: ==28953== Mismatched free() / delete / delete [] ==28953== at 0x4A19BAC: operator delete(void*) (vg_replace_malloc.c:342) ==28953== by 0x4B55C74: JSC::SubNode::~SubNode() (Nodes.h:867) ==28953== by 0x4C1766D: void WTF::deleteAllValues<JSC::ParserArenaDeletable*, 0ul>(WTF::Vector<JSC::ParserArenaDeletable*, 0ul> const&) (Vector.h:940) ==28953== by 0x4C17423: JSC::ParserArena::~ParserArena() (ParserArena.cpp:35) ==28953== by 0x4C1519E: JSC::ScopeNodeData::~ScopeNodeData() (Nodes.h:1378) ==28953== by 0x4C151F1: void WTF::deleteOwnedPtr<JSC::ScopeNodeData>(JSC::ScopeNodeData*) (OwnPtrCommon.h:44) ==28953== by 0x4C1526F: WTF::OwnPtr<JSC::ScopeNodeData>::clear() (OwnPtr.h:63) ==28953== by 0x4C15296: JSC::ScopeNode::destroyData() (Nodes.h:1408) ==28953== by 0x4C01815: JSC::FunctionBodyNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:2083) ==28953== by 0x4BCD5C1: JSC::FunctionBodyNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1584) ==28953== by 0x4C5DBB3: JSC::JSGlobalData::numericCompareFunction(JSC::ExecState*) (JSGlobalData.cpp:234) ==28953== by 0x4B9C680: JSC::BytecodeGenerator::generate() (BytecodeGenerator.cpp:156) ==28953== by 0x4C03829: JSC::ProgramNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:1893) ==28953== by 0x4BCEE61: JSC::ProgramNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1476) ==28953== by 0x4BB9511: JSC::Interpreter::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (Interpreter.cpp:612) ==28953== by 0x4C3F699: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:67) ==28953== by 0x4B5A2E8: JSEvaluateScript (JSBase.cpp:54) ==28953== by 0x400EC5: main (jstest.c:71) ==28953== Address 0x6c23e98 is 0 bytes inside a block of size 40 alloc'd ==28953== at 0x4A1A39B: malloc (vg_replace_malloc.c:207) ==28953== by 0x4CA79FA: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:225) ==28953== by 0x4B59AA2: JSC::ParserArenaDeletable::operator new(unsigned long, JSC::JSGlobalData*) (NodeConstructors.h:32) ==28953== by 0x4B44C58: makeSubNode(void*, JSC::ExpressionNode*, JSC::ExpressionNode*, bool) (Grammar.y:2045) ==28953== by 0x4B48CEF: jscyyparse(void*) (Grammar.y:541) ==28953== by 0x4C17ABC: JSC::Parser::parse(JSC::JSGlobalData*, int*, JSC::UString*) (Parser.cpp:58) ==28953== by 0x4C17BD8: JSC::Parser::reparseInPlace(JSC::JSGlobalData*, JSC::FunctionBodyNode*) (Parser.cpp:76) ==28953== by 0x4C01654: JSC::FunctionBodyNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:2072) ==28953== by 0x4BCD5C1: JSC::FunctionBodyNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1584) ==28953== by 0x4C5DBB3: JSC::JSGlobalData::numericCompareFunction(JSC::ExecState*) (JSGlobalData.cpp:234) ==28953== by 0x4B9C680: JSC::BytecodeGenerator::generate() (BytecodeGenerator.cpp:156) ==28953== by 0x4C03829: JSC::ProgramNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:1893) ==28953== by 0x4BCEE61: JSC::ProgramNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1476) ==28953== by 0x4BB9511: JSC::Interpreter::execute(JSC::ProgramNode*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*) (Interpreter.cpp:612) ==28953== by 0x4C3F699: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&, JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:67) ==28953== by 0x4B5A2E8: JSEvaluateScript (JSBase.cpp:54) ==28953== by 0x400EC5: main (jstest.c:71) Problem lies in class ParserArenaDeletable, which has overloaded operator new, which uses fastMalloc, but does not have overloaded operator delete. Attached patch fixes this problem.