[Webkit-unassigned] [Bug 26837] New: Mismatched malloc()/delete in JSC::ParserArenaDeletable

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 30 05:53:44 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26837

           Summary: Mismatched malloc()/delete in JSC::ParserArenaDeletable
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: martin.zoubek at acision.com


When WebKit is compiled with USE_SYSTEM_MALLOC=1, valgrind reports a lot of
errors when deleting instances of some classes in JavaScript parser, for
example:

==28953== Mismatched free() / delete / delete []
==28953==    at 0x4A19BAC: operator delete(void*) (vg_replace_malloc.c:342)
==28953==    by 0x4B55C74: JSC::SubNode::~SubNode() (Nodes.h:867)
==28953==    by 0x4C1766D: void
WTF::deleteAllValues<JSC::ParserArenaDeletable*,
0ul>(WTF::Vector<JSC::ParserArenaDeletable*, 0ul> const&) (Vector.h:940)
==28953==    by 0x4C17423: JSC::ParserArena::~ParserArena()
(ParserArena.cpp:35)
==28953==    by 0x4C1519E: JSC::ScopeNodeData::~ScopeNodeData() (Nodes.h:1378)
==28953==    by 0x4C151F1: void
WTF::deleteOwnedPtr<JSC::ScopeNodeData>(JSC::ScopeNodeData*)
(OwnPtrCommon.h:44)
==28953==    by 0x4C1526F: WTF::OwnPtr<JSC::ScopeNodeData>::clear()
(OwnPtr.h:63)
==28953==    by 0x4C15296: JSC::ScopeNode::destroyData() (Nodes.h:1408)
==28953==    by 0x4C01815:
JSC::FunctionBodyNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:2083)
==28953==    by 0x4BCD5C1:
JSC::FunctionBodyNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1584)
==28953==    by 0x4C5DBB3:
JSC::JSGlobalData::numericCompareFunction(JSC::ExecState*)
(JSGlobalData.cpp:234)
==28953==    by 0x4B9C680: JSC::BytecodeGenerator::generate()
(BytecodeGenerator.cpp:156)
==28953==    by 0x4C03829:
JSC::ProgramNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:1893)
==28953==    by 0x4BCEE61: JSC::ProgramNode::bytecode(JSC::ScopeChainNode*)
(Nodes.h:1476)
==28953==    by 0x4BB9511: JSC::Interpreter::execute(JSC::ProgramNode*,
JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*)
(Interpreter.cpp:612)
==28953==    by 0x4C3F699: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&,
JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:67)
==28953==    by 0x4B5A2E8: JSEvaluateScript (JSBase.cpp:54)
==28953==    by 0x400EC5: main (jstest.c:71)
==28953==  Address 0x6c23e98 is 0 bytes inside a block of size 40 alloc'd
==28953==    at 0x4A1A39B: malloc (vg_replace_malloc.c:207)
==28953==    by 0x4CA79FA: WTF::fastMalloc(unsigned long) (FastMalloc.cpp:225)
==28953==    by 0x4B59AA2: JSC::ParserArenaDeletable::operator new(unsigned
long, JSC::JSGlobalData*) (NodeConstructors.h:32)
==28953==    by 0x4B44C58: makeSubNode(void*, JSC::ExpressionNode*,
JSC::ExpressionNode*, bool) (Grammar.y:2045)
==28953==    by 0x4B48CEF: jscyyparse(void*) (Grammar.y:541)
==28953==    by 0x4C17ABC: JSC::Parser::parse(JSC::JSGlobalData*, int*,
JSC::UString*) (Parser.cpp:58)
==28953==    by 0x4C17BD8: JSC::Parser::reparseInPlace(JSC::JSGlobalData*,
JSC::FunctionBodyNode*) (Parser.cpp:76)
==28953==    by 0x4C01654:
JSC::FunctionBodyNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:2072)
==28953==    by 0x4BCD5C1:
JSC::FunctionBodyNode::bytecode(JSC::ScopeChainNode*) (Nodes.h:1584)
==28953==    by 0x4C5DBB3:
JSC::JSGlobalData::numericCompareFunction(JSC::ExecState*)
(JSGlobalData.cpp:234)
==28953==    by 0x4B9C680: JSC::BytecodeGenerator::generate()
(BytecodeGenerator.cpp:156)
==28953==    by 0x4C03829:
JSC::ProgramNode::generateBytecode(JSC::ScopeChainNode*) (Nodes.cpp:1893)
==28953==    by 0x4BCEE61: JSC::ProgramNode::bytecode(JSC::ScopeChainNode*)
(Nodes.h:1476)
==28953==    by 0x4BB9511: JSC::Interpreter::execute(JSC::ProgramNode*,
JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*, JSC::JSValue*)
(Interpreter.cpp:612)
==28953==    by 0x4C3F699: JSC::evaluate(JSC::ExecState*, JSC::ScopeChain&,
JSC::SourceCode const&, JSC::JSValue) (Completion.cpp:67)
==28953==    by 0x4B5A2E8: JSEvaluateScript (JSBase.cpp:54)
==28953==    by 0x400EC5: main (jstest.c:71)

Problem lies in class ParserArenaDeletable, which has overloaded operator new,
which uses fastMalloc, but does not have overloaded operator delete. Attached
patch fixes this problem.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list