Many false positives "Mismatched free() / delete / delete []"

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Many false positives "Mismatched free() / delete / delete []"

David Faure
There seems to be a regression in valgrind SVN, where it thinks new[] was used, while in fact a simple new was used.
I see this all over the place when running valgrind on Qt code.

==4799== Mismatched free() / delete / delete []
==4799==    at 0x4C2A65D: operator delete(void*) (vg_replace_malloc.c:576)
==4799==    by 0x6CF853D: QVBoxLayout::~QVBoxLayout() (qboxlayout.cpp:1354)
==4799==    by 0x6D1CE90: QWidget::~QWidget() (qwidget.cpp:1594)
==4799==    by 0x6F631A1: QDialog::~QDialog() (qdialog.cpp:352)
==4799==    by 0x5152C85: Akonadi::EmailAddressSelectionDialog::~EmailAddressSelectionDialog() (emailaddressselectiondialog.cpp:92)
==4799==    by 0x401876: main (emailaddressselectiondialogtest.cpp:35)
==4799==  Address 0x279546e0 is 0 bytes inside a block of size 32 alloc'd
==4799==    at 0x4C29D78: operator new[](unsigned long) (vg_replace_malloc.c:423)
==4799==    by 0x5152DB7: Akonadi::EmailAddressSelectionDialog::Private::Private(Akonadi::EmailAddressSelectionDialog*, QAbstractItemModel*) (emailaddressselectiondialog.cpp:40)
==4799==    by 0x5152B22: Akonadi::EmailAddressSelectionDialog::EmailAddressSelectionDialog(QWidget*) (emailaddressselectiondialog.cpp:82)
==4799==    by 0x401681: main (emailaddressselectiondialogtest.cpp:35)

emailaddressselectiondialog.cpp:40 says
 QVBoxLayout *mainLayout = new QVBoxLayout(q);

And this is just one example, it happens in many many places, it's nothing special about this particular file.

Any idea why this is happening?

gcc (SUSE Linux) 4.8.5
valgrind-3.13.0.SVN
glibc-2.22-3.7.x86_64
`uname -a` = Linux 4.4.36-8-default #1 SMP Fri Dec 9 16:18:38 UTC 2016 (3ec5648) x86_64 x86_64 x86_64 GNU/Linux
OpenSuSE Leap 42.2

--
David Faure, [hidden email], http://www.davidfaure.fr
Working on KDE Frameworks 5


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|

Re: Many false positives "Mismatched free() / delete / delete []"

David Chapman-10
On 12/22/2016 3:22 AM, David Faure wrote:

> There seems to be a regression in valgrind SVN, where it thinks new[] was used, while in fact a simple new was used.
> I see this all over the place when running valgrind on Qt code.
>
> ==4799== Mismatched free() / delete / delete []
> ==4799==    at 0x4C2A65D: operator delete(void*) (vg_replace_malloc.c:576)
> ==4799==    by 0x6CF853D: QVBoxLayout::~QVBoxLayout() (qboxlayout.cpp:1354)
> ==4799==    by 0x6D1CE90: QWidget::~QWidget() (qwidget.cpp:1594)
> ==4799==    by 0x6F631A1: QDialog::~QDialog() (qdialog.cpp:352)
> ==4799==    by 0x5152C85: Akonadi::EmailAddressSelectionDialog::~EmailAddressSelectionDialog() (emailaddressselectiondialog.cpp:92)
> ==4799==    by 0x401876: main (emailaddressselectiondialogtest.cpp:35)
> ==4799==  Address 0x279546e0 is 0 bytes inside a block of size 32 alloc'd
> ==4799==    at 0x4C29D78: operator new[](unsigned long) (vg_replace_malloc.c:423)
> ==4799==    by 0x5152DB7: Akonadi::EmailAddressSelectionDialog::Private::Private(Akonadi::EmailAddressSelectionDialog*, QAbstractItemModel*) (emailaddressselectiondialog.cpp:40)
> ==4799==    by 0x5152B22: Akonadi::EmailAddressSelectionDialog::EmailAddressSelectionDialog(QWidget*) (emailaddressselectiondialog.cpp:82)
> ==4799==    by 0x401681: main (emailaddressselectiondialogtest.cpp:35)
>
> emailaddressselectiondialog.cpp:40 says
>   QVBoxLayout *mainLayout = new QVBoxLayout(q);
>
> And this is just one example, it happens in many many places, it's nothing special about this particular file.
>
> Any idea why this is happening?
>
> gcc (SUSE Linux) 4.8.5
> valgrind-3.13.0.SVN
> glibc-2.22-3.7.x86_64
> `uname -a` = Linux 4.4.36-8-default #1 SMP Fri Dec 9 16:18:38 UTC 2016 (3ec5648) x86_64 x86_64 x86_64 GNU/Linux
> OpenSuSE Leap 42.2
>
If this is new valgrind behavior, I wouldn't discount a bug in its code,
but the developers (not me) would need to know what the QVBoxLayout
constructor is doing.  If it's inlined, the call stack might point
fingers at the calling function rather than the true offender.  Does the
QVBoxLayout constructor allocate any memory inside?

--
     David Chapman      [hidden email]
     Chapman Consulting -- San Jose, CA
     Software Development Done Right.
     www.chapman-consulting-sj.com


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|

Re: Many false positives "Mismatched free() / delete / delete []"

David Faure
On jeudi 22 décembre 2016 06:46:44 CET David Chapman wrote:
> If this is new valgrind behavior, I wouldn't discount a bug in its code

It certainly looks like one :)

> but the developers (not me) would need to know what the QVBoxLayout
> constructor is doing.  If it's inlined, the call stack might point
> fingers at the calling function rather than the true offender.

It is not inline, and my call stack is from a non-optimized debug build
anyway.

> Does the QVBoxLayout constructor allocate any memory inside?

Yes but not with new[].

QVBoxLayout::QVBoxLayout(QWidget *parent)
    : QBoxLayout(TopToBottom, parent)
{
}

QBoxLayout::QBoxLayout(Direction dir, QWidget *parent)
    : QLayout(*new QBoxLayoutPrivate, 0, parent)
{
    d->dir = dir;
}



--
David Faure, [hidden email], http://www.davidfaure.fr
Working on KDE Frameworks 5


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|

Re: Many false positives "Mismatched free() / delete / delete []"

Philippe Waroquiers
In reply to this post by David Faure
On Thu, 2016-12-22 at 12:22 +0100, David Faure wrote:

> Any idea why this is happening?
>
> gcc (SUSE Linux) 4.8.5
> valgrind-3.13.0.SVN
> glibc-2.22-3.7.x86_64
> `uname -a` = Linux 4.4.36-8-default #1 SMP Fri Dec 9 16:18:38 UTC 2016 (3ec5648) x86_64 x86_64 x86_64 GNU/Linux
> OpenSuSE Leap 42.2
>
To be sure: if you just replace in the above setup valgrind 3.13 SVN
by valgrind 3.12 release, then you do not have the problem anymore ?

Philippe



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|

Re: Many false positives "Mismatched free() / delete / delete []"

Paul Floyd
In reply to this post by David Faure


----- Original Message -----

> On jeudi 22 décembre 2016 06:46:44 CET David Chapman wrote:
> > If this is new valgrind behavior, I wouldn't discount a bug in its
> > code
>
> It certainly looks like one :)
>
> > but the developers (not me) would need to know what the QVBoxLayout
> > constructor is doing.  If it's inlined, the call stack might point
> > fingers at the calling function rather than the true offender.
>
> It is not inline, and my call stack is from a non-optimized debug
> build
> anyway.
>
> > Does the QVBoxLayout constructor allocate any memory inside?
>
> Yes but not with new[].
>
> QVBoxLayout::QVBoxLayout(QWidget *parent)
>     : QBoxLayout(TopToBottom, parent)
> {
> }
>
> QBoxLayout::QBoxLayout(Direction dir, QWidget *parent)
>     : QLayout(*new QBoxLayoutPrivate, 0, parent)
> {
>     d->dir = dir;
> }

It doesn't much look like it, but there could be calls to new [] in the QBoxLayoutPrivate ctor, or its parent classes.

Do you know if global new/delete are replaced, or if there are any class overloads?

A+
Paul

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|

Re: Many false positives "Mismatched free() / delete / delete []"

David Faure
On jeudi 22 décembre 2016 21:06:04 CET Philippe Waroquiers wrote:
> To be sure: if you just replace in the above setup valgrind 3.13 SVN
> by valgrind 3.12 release, then you do not have the problem anymore ?

Good point. I just tried with /usr/bin/valgrind, which is 3.11, and the same
thing happens!

On jeudi 22 décembre 2016 21:28:32 CET [hidden email] wrote:
> It doesn't much look like it, but there could be calls to new [] in the
> QBoxLayoutPrivate ctor, or its parent classes.

I don't think so, and again: this is a -O0 -g build, no inlining is happening,
so these frames would show in the stack.

> Do you know if global new/delete are replaced

I wonder how to find out.

To make matters more complex, a simple QVBoxLayout testcase doesn't show the
issue. Neither do small size autotests with dialogs and layouts. Only the
bigger test program with lots of memory allocations hits this.

I've seen it before in other programs though so it's not specific to that test
either.

--
David Faure, [hidden email], http://www.davidfaure.fr
Working on KDE Frameworks 5


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|

Re: Many false positives "Mismatched free() / delete / delete []"

David Faure
I found it.

Using "step" in gdb showed that the new calls that valgrind complains about
go into.... qtwebengine/src/3rdparty/chromium/base/allocator/allocator_shim.cc

146├>void* ShimCppNew(size_t size) {
147│   const allocator::AllocatorDispatch* const chain_head = GetChainHead();
148│   void* ptr;
149│   do {
150│     ptr = chain_head->alloc_function(chain_head, size);
151│   } while (!ptr && CallNewHandler());
152│   return ptr;
153│ }

Indeed chromium's allocator_shim_override_cpp_symbols.h says
SHIM_ALWAYS_EXPORT void* operator new(size_t size)
    SHIM_ALIAS_SYMBOL(ShimCppNew);

This is why it didn't happen in smaller testcases, it only happens when
including some qtwebengine headers.

=> No valgrind bug, sorry for the noise. I am now going to yell at the
qtwebengine/chromium people for polluting applications with their custom
operator new...

--
David Faure, [hidden email], http://www.davidfaure.fr
Working on KDE Frameworks 5


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users