Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

false positive INVALID HEAP ARGUMENT (new/delete mismatch) error in v8.dll #1625

Closed
derekbruening opened this issue Nov 28, 2014 · 7 comments
Closed

false positive INVALID HEAP ARGUMENT (new/delete mismatch) error in v8.dll #1625

derekbruening opened this issue Nov 28, 2014 · 7 comments
Labels
Migrated OpSys-Windows Priority-High Status-Duplicate

Comments

@derekbruening
Copy link
Contributor

From zhao...@google.com on September 12, 2014 15:34:58

xref crbug.com/413215

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1625
@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 12, 2014 12:50:35

We already have internal code to turn it off for any case with msvcr*.dll being involved, maybe we can extend from that.

v8!operator delete:
55c4503a ff250872c455 jmp dword ptr [v8!imp??3YAXPAXZ (55c47208)]
v8!operator new:
55c453da ff250472c455 jmp dword ptr [v8!imp??2YAPAXIZ (55c47204)]
v8!operator delete[]:
55c454da ff25f871c455 jmp dword ptr [v8!imp??_VYAXPAXZ (55c471f8)]
v8!operator new[]:
55c454e0 ff25f471c455 jmp dword ptr [v8!imp??_UYAPAXIZ (55c471f4)]

they all pointing to the MSVCR120 version of routines, we can decode a bit and then decide if we need disable mismatch detection.

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 12, 2014 13:47:58

xref issue #1233 and issue #123

@derekbruening
Copy link
Contributor Author

From bruen...@google.com on September 13, 2014 09:36:49

what was the resolution of issue #1058 ? it looks very similar

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 15, 2014 07:57:32

the test is excluded, so I do not think we solve that issue.

Status: Duplicate
Mergedinto: 1058

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 15, 2014 13:58:26

This might be a more general problem for VS2013
Having a simple program:

#include <stdio.h>
int main(int argc, char* argv[])
{
int *a = new int[15];
printf("hello\n");
delete [] a;
return 0;
}

build it with CL and debug build
C:\Users\zhaoqin\Documents\Visual Studio 2013\Projects\ConsoleApplication3\ConsoleApplication3>cl ConsoleApplication3.cpp /Zi /MD /Od /Ob0
Microsoft (R) C/C++ Optimizing Compiler Version 18.00.30723 for x86
Copyright (C) Microsoft Corporation. All rights reserved.

ConsoleApplication3.cpp
Microsoft (R) Incremental Linker Version 12.00.30723.0
Copyright (C) Microsoft Corporation. All rights reserved.

/out:ConsoleApplication3.exe
/debug
ConsoleApplication3.obj

We can see that the compiler is able to use new/delete instead of new[] and delete[]

ConsoleApplication3!main:
00c71b50 55 push ebp
00c71b51 8bec mov ebp,esp
00c71b53 83ec0c sub esp,0xc
00c71b56 6a3c push 0x3c
00c71b58 e847f8ffff call ConsoleApplication3!operator new (00c713a4)
00c71b5d 83c404 add esp,0x4
00c71b60 8945fc mov [ebp-0x4],eax
00c71b63 8b45fc mov eax,[ebp-0x4]
00c71b66 8945f8 mov [ebp-0x8],eax
00c71b69 68c838c700 push 0xc738c8
00c71b6e ff15bc60c700 call dword ptr [ConsoleApplication3!_imp__printf (00c760bc)]
00c71b74 83c404 add esp,0x4
00c71b77 8b4df8 mov ecx,[ebp-0x8]
00c71b7a 894df4 mov [ebp-0xc],ecx
00c71b7d 8b55f4 mov edx,[ebp-0xc]
00c71b80 52 push edx
00c71b81 e8d2f7ffff call ConsoleApplication3!operator delete (00c71358)
00c71b86 83c404 add esp,0x4
00c71b89 33c0 xor eax,eax
00c71b8b 8be5 mov esp,ebp
00c71b8d 5d pop ebp
00c71b8e c3 ret

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 15, 2014 14:08:16

actually, vs2010 produce similar code using new/delete.

@derekbruening
Copy link
Contributor Author

From zhao...@google.com on September 15, 2014 14:29:45

for VS2013, even with more complicated code, it still use new/delete

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

class mismatch {
public:
mismatch() {
buf_ = alloc(30);
size_ = 30;
}
mismatch(size_t size) {
buf_ = (void *)alloc(size);
size_ = size;
}
void resize(size_t new_size);
~mismatch() { dealloc(buf_); }

private:
size_t size_;
void *buf_;
static int *alloc(size_t n) { return new int[n]; }
static void dealloc(void *p) { delete[] p; }
};

void mismatch::resize(size_t new_size)
{
if (new_size >= size_) {
void *tmp = buf_;
buf_ = alloc(0x30);
memcpy(buf_, tmp, size_);
dealloc(tmp);
tmp = new char[30];
delete[] tmp;
}
}

int main(int argc, char* argv[])
{
int *a = new int[15];
mismatch *m = new mismatch[10];
mismatch mis(10);
printf("hello\n");
m[1].resize(20);
delete [] a;
delete [] m;
return 0;
}

It first use use new to allocate memory, then calls vector constructor iterator' to invoke constructors. Later, it calls mismatch::vector deleting destructor' to invoke all destructors then call delete instead of delete [].

So no new/delete is not called at all.

Similar thing happens for VS 2010.

There should be some path that trigger the compiler to use new[] and delete[] and some path not, which may cause false-positive mismatch.

@derekbruening derekbruening mentioned this issue Mar 20, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Migrated OpSys-Windows Priority-High Status-Duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@derekbruening