Valgrind false-positive `Mismatched free() / delete / delete []` with tcmalloc 2.5

[thomas-riccardi]

Using valgrind on a program linked with tcmalloc works with the --soname-synonyms=somalloc=*tcmalloc* valgrind option.
However, starting with tcmalloc 2.5 I have a false positive Mismatched free() / delete / delete [] with the following code:

int main(int argc, char **argv)
{
  int* i = new int;
  delete i;

  return 0;
}

$ g++ -o bug bug.cpp -ltcmalloc_minimal
$ valgrind --tool=memcheck --soname-synonyms=somalloc=*tcmalloc* ./bug
==15874== Memcheck, a memory error detector
==15874== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==15874== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==15874== Command: ./bug
==15874==
==15874== Mismatched free() / delete / delete []
==15874==    at 0x4C2BE9C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15874==    by 0x400795: main (in bug)
==15874==  Address 0x5c671e0 is 0 bytes inside a block of size 4 alloc'd
==15874==    at 0x4C2B9E0: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15874==    by 0x400785: main (in bug)
==15874==
==15874==
==15874== HEAP SUMMARY:
==15874==     in use at exit: 46 bytes in 3 blocks
==15874==   total heap usage: 6 allocs, 3 frees, 52 bytes allocated
==15874==
==15874== LEAK SUMMARY:
==15874==    definitely lost: 0 bytes in 0 blocks
==15874==    indirectly lost: 0 bytes in 0 blocks
==15874==      possibly lost: 30 bytes in 1 blocks
==15874==    still reachable: 16 bytes in 2 blocks
==15874==         suppressed: 0 bytes in 0 blocks
==15874== Rerun with --leak-check=full to see details of leaked memory
==15874==
==15874== For counts of detected and suppressed errors, rerun with: -v
==15874== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

It works correctly with tcmalloc 2.4:

$ valgrind --tool=memcheck --soname-synonyms=somalloc=*tcmalloc* ./bug-tcmalloc-2.4
==16288== Memcheck, a memory error detector
==16288== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16288== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==16288== Command: ./bug-tcmalloc-2.4
==16288==
==16288==
==16288== HEAP SUMMARY:
==16288==     in use at exit: 46 bytes in 3 blocks
==16288==   total heap usage: 6 allocs, 3 frees, 52 bytes allocated
==16288==
==16288== LEAK SUMMARY:
==16288==    definitely lost: 0 bytes in 0 blocks
==16288==    indirectly lost: 0 bytes in 0 blocks
==16288==      possibly lost: 30 bytes in 1 blocks
==16288==    still reachable: 16 bytes in 2 blocks
==16288==         suppressed: 0 bytes in 0 blocks
==16288== Rerun with --leak-check=full to see details of leaked memory
==16288==
==16288== For counts of detected and suppressed errors, rerun with: -v
==16288== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

It also works correctly without tcmalloc.

I reproduced the issue with tcmalloc 2.5 and master, valgrind 3.10.0 and 3.11.0, on redhat-7 and ubuntu-14.04.

I don't know if it's an issue with tcmalloc, or with valgrind, or both, so I'll stick with tcmalloc 2.4 for now.

[alk]

Thanks for reporting it.

This is result of intentional change to alias identical functions. It save
instruction cache space and prevents gcc 5 from penalizing the code via
it's own imperfect identical function folding optimization (i.e. gcc still
emits tc_new and tc_newarray but one of them contains just jump to another
which makes it run slightly slower).

Just don't use valgrind with tcmalloc.

I'll try to think about some way to "fix" it. But I cannot promise
anything. I may just "won't fix" it.

On Tue, Apr 12, 2016 at 6:29 AM, Thomas Riccardi notifications@github.com
wrote:

Using valgrind on a program linked with tcmalloc works with the
--soname-synonyms=somalloc=tcmalloc valgrind option.
However, starting with tcmalloc 2.5 I have a false positive Mismatched
free() / delete / delete [] with the following code:

int main(int argc, char *argv)
{
int i = new int;
delete i;

return 0;
}

$ g++ -o bug bug.cpp -ltcmalloc_minimal
$ valgrind --tool=memcheck --soname-synonyms=somalloc=tcmalloc ./bug
==15874== Memcheck, a memory error detector
==15874== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.==15874== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info==15874== Command: ./bug==15874====15874== Mismatched free() / delete / delete []==15874== at 0x4C2BE9C: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)==15874== by 0x400795: main (in bug)==15874== Address 0x5c671e0 is 0 bytes inside a block of size 4 alloc'd
==15874== at 0x4C2B9E0: operator new[](unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15874== by 0x400785: main (in bug)
==15874==
==15874==
==15874== HEAP SUMMARY:
==15874== in use at exit: 46 bytes in 3 blocks
==15874== total heap usage: 6 allocs, 3 frees, 52 bytes allocated
==15874==
==15874== LEAK SUMMARY:
==15874== definitely lost: 0 bytes in 0 blocks
==15874== indirectly lost: 0 bytes in 0 blocks
==15874== possibly lost: 30 bytes in 1 blocks
==15874== still reachable: 16 bytes in 2 blocks
==15874== suppressed: 0 bytes in 0 blocks
==15874== Rerun with --leak-check=full to see details of leaked memory
==15874==
==15874== For counts of detected and suppressed errors, rerun with: -v
==15874== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

It works correctly with tcmalloc 2.4:

$ valgrind --tool=memcheck --soname-synonyms=somalloc=tcmalloc ./bug-tcmalloc-2.4
==16288== Memcheck, a memory error detector
==16288== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16288== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==16288== Command: ./bug-tcmalloc-2.4
==16288==
==16288==
==16288== HEAP SUMMARY:
==16288== in use at exit: 46 bytes in 3 blocks
==16288== total heap usage: 6 allocs, 3 frees, 52 bytes allocated
==16288==
==16288== LEAK SUMMARY:
==16288== definitely lost: 0 bytes in 0 blocks
==16288== indirectly lost: 0 bytes in 0 blocks
==16288== possibly lost: 30 bytes in 1 blocks
==16288== still reachable: 16 bytes in 2 blocks
==16288== suppressed: 0 bytes in 0 blocks
==16288== Rerun with --leak-check=full to see details of leaked memory
==16288==
==16288== For counts of detected and suppressed errors, rerun with: -v
==16288== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

It also works correctly without tcmalloc.

I reproduced the issue with tcmalloc 2.5 and master, valgrind 3.10.0 and
3.11.0, on redhat-7 and ubuntu-14.04.

I don't know if it's an issue with tcmalloc, or with valgrind, or both, so
I'll stick with tcmalloc 2.4 for now.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#792

[Romain-Geissler-1A]

Hi,

Statement like "don't use valgrind" from an allocator vendor might be quite unexpected ;).

Would you mind explaining a bit more in details what you changed exactly in the tcmalloc implementation which resulted in that ?

Cheers,
Romain

[Romain-Geissler-1A]

Hi,

After looking at the different commits, these one seems interesting: cef6036

As explained in the commit message, it's a real performance improvement (save one jump), and is easily workaroundable by using tcmalloc debug. Tested fine with valgrind with tcmalloc debug.

Cheers,
Romain

[alk]

The statement about valgrind and tcmalloc is that valgrind (or asan/msan) works best when it controls malloc itself. Trying to have both valgrind and tcmalloc in same process is asking for trouble.

Any objections if I close as "won't fix" ?

[santhoshmprabhu]

Started seeing this after upgrading to Ubuntu 18.04. Is this expected to not be fixed?

[alk]

Again, see my statement above. It is not good idea to use both tcmalloc and valgrind at same time.

Also closing as won't fix as noted above. At least as of now intention is to keep aliases.

[jankratochvil]

Just FYI another case so that Google finds this issue easier - Fedora 28 x86_64:

$ echo 'int main(){}'|gcc -x c - -ltcmalloc;valgrind ./a.out 
Memcheck, a memory error detector
Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
Command: ./a.out

Mismatched free() / delete / delete []
   at 0x4C2EDAC: free (vg_replace_malloc.c:530)
   by 0x4E50EF8: UnknownInlinedFun (heap-checker-bcad.cc:69)
   by 0x4E50EF8: UnknownInlinedFun (heap-checker-bcad.cc:93)
   by 0x4E50EF8: _GLOBAL__sub_I_heap_checker_bcad.cc (heap-checker-bcad.cc:93)
   by 0x400F6B9: call_init.part.0 (dl-init.c:72)
   by 0x400F7B5: call_init (dl-init.c:118)
   by 0x400F7B5: _dl_init (dl-init.c:119)
   by 0x4000F99: ??? (in /usr/lib64/ld-2.27.so)
 Address 0x637ad20 is 0 bytes inside a block of size 4 alloc'd
   at 0x4C2E933: operator new[](unsigned long) (vg_replace_malloc.c:423)
   by 0x4E50EEB: UnknownInlinedFun (heap-checker-bcad.cc:69)
   by 0x4E50EEB: UnknownInlinedFun (heap-checker-bcad.cc:93)
   by 0x4E50EEB: _GLOBAL__sub_I_heap_checker_bcad.cc (heap-checker-bcad.cc:93)
   by 0x400F6B9: call_init.part.0 (dl-init.c:72)
   by 0x400F7B5: call_init (dl-init.c:118)
   by 0x400F7B5: _dl_init (dl-init.c:119)
   by 0x4000F99: ??? (in /usr/lib64/ld-2.27.so)

Mismatched free() / delete / delete []
   at 0x4C2EDAC: free (vg_replace_malloc.c:530)
   by 0x4E5CEB0: UnknownInlinedFun (new_allocator.h:125)
   by 0x4E5CEB0: UnknownInlinedFun (alloc_traits.h:462)
   by 0x4E5CEB0: UnknownInlinedFun (basic_string.h:226)
   by 0x4E5CEB0: UnknownInlinedFun (basic_string.h:221)
   by 0x4E5CEB0: UnknownInlinedFun (basic_string.tcc:327)
   by 0x4E5CEB0: std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append(char const*, unsigned long) (basic_string.tcc:370)
   by 0x4E66E09: UnknownInlinedFun (basic_string.h:1249)
   by 0x4E66E09: UnknownInlinedFun (basic_string.h:1159)
   by 0x4E66E09: MallocExtension::Initialize() (malloc_extension.cc:103)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:75)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:93)
   by 0x4E50EFD: _GLOBAL__sub_I_heap_checker_bcad.cc (heap-checker-bcad.cc:93)
   by 0x400F6B9: call_init.part.0 (dl-init.c:72)
   by 0x400F7B5: call_init (dl-init.c:118)
   by 0x400F7B5: _dl_init (dl-init.c:119)
   by 0x4000F99: ??? (in /usr/lib64/ld-2.27.so)
 Address 0x637b440 is 0 bytes inside a block of size 23 alloc'd
   at 0x4C2E933: operator new[](unsigned long) (vg_replace_malloc.c:423)
   by 0x4E66DB3: UnknownInlinedFun (basic_string.tcc:219)
   by 0x4E66DB3: UnknownInlinedFun (basic_string.h:236)
   by 0x4E66DB3: UnknownInlinedFun (basic_string.h:255)
   by 0x4E66DB3: UnknownInlinedFun (basic_string.h:511)
   by 0x4E66DB3: MallocExtension::Initialize() (malloc_extension.cc:102)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:75)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:93)
   by 0x4E50EFD: _GLOBAL__sub_I_heap_checker_bcad.cc (heap-checker-bcad.cc:93)
   by 0x400F6B9: call_init.part.0 (dl-init.c:72)
   by 0x400F7B5: call_init (dl-init.c:118)
   by 0x400F7B5: _dl_init (dl-init.c:119)
   by 0x4000F99: ??? (in /usr/lib64/ld-2.27.so)

Mismatched free() / delete / delete []
   at 0x4C2EDAC: free (vg_replace_malloc.c:530)
   by 0x4E66E20: UnknownInlinedFun (new_allocator.h:125)
   by 0x4E66E20: UnknownInlinedFun (alloc_traits.h:462)
   by 0x4E66E20: UnknownInlinedFun (basic_string.h:226)
   by 0x4E66E20: UnknownInlinedFun (basic_string.h:221)
   by 0x4E66E20: UnknownInlinedFun (basic_string.h:647)
   by 0x4E66E20: MallocExtension::Initialize() (malloc_extension.cc:102)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:75)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:93)
   by 0x4E50EFD: _GLOBAL__sub_I_heap_checker_bcad.cc (heap-checker-bcad.cc:93)
   by 0x400F6B9: call_init.part.0 (dl-init.c:72)
   by 0x400F7B5: call_init (dl-init.c:118)
   by 0x400F7B5: _dl_init (dl-init.c:119)
   by 0x4000F99: ??? (in /usr/lib64/ld-2.27.so)
 Address 0x637b4a0 is 0 bytes inside a block of size 45 alloc'd
   at 0x4C2E933: operator new[](unsigned long) (vg_replace_malloc.c:423)
   by 0x4E5CE42: UnknownInlinedFun (basic_string.tcc:317)
   by 0x4E5CE42: std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append(char const*, unsigned long) (basic_string.tcc:370)
   by 0x4E66E09: UnknownInlinedFun (basic_string.h:1249)
   by 0x4E66E09: UnknownInlinedFun (basic_string.h:1159)
   by 0x4E66E09: MallocExtension::Initialize() (malloc_extension.cc:103)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:75)
   by 0x4E50EFD: UnknownInlinedFun (heap-checker-bcad.cc:93)
   by 0x4E50EFD: _GLOBAL__sub_I_heap_checker_bcad.cc (heap-checker-bcad.cc:93)
   by 0x400F6B9: call_init.part.0 (dl-init.c:72)
   by 0x400F7B5: call_init (dl-init.c:118)
   by 0x400F7B5: _dl_init (dl-init.c:119)
   by 0x4000F99: ??? (in /usr/lib64/ld-2.27.so)


HEAP SUMMARY:
    in use at exit: 40 bytes in 2 blocks
  total heap usage: 14 allocs, 12 frees, 74,130 bytes allocated

LEAK SUMMARY:
   definitely lost: 0 bytes in 0 blocks
   indirectly lost: 0 bytes in 0 blocks
     possibly lost: 0 bytes in 0 blocks
   still reachable: 40 bytes in 2 blocks
        suppressed: 0 bytes in 0 blocks
Rerun with --leak-check=full to see details of leaked memory

For counts of detected and suppressed errors, rerun with: -v
ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)

[adamnovak]

I've run into this problem, trying to debug a static binary I got from a user that segfaults on her system and works fine on mine.

If valgrind cannot be used with tcmalloc anymore, what memory checking tool is recommended for use with tcmalloc-using applications?

If the recommended approach is to link with -ltcmalloc_debug instead of -ltcmalloc, and then use valgrind on that binary, what are the chances of the switch from normal to debug tcmalloc affecting the ability to reproduce a crash?

I've managed to get valgrind to not complain thousands of times about mismatched frees by suppressing the error with a suppression file (suppressions.supp):

{
   <allthefrees>
   Memcheck:Free
   fun:free
   ... 
}

You then invoke valgrind with valgrind --soname-synonyms='somalloc=*tcmalloc*' --suppressions=./suppressions.supp. It runs, but I'm not sure how reliable it will be, given what has been said here about it needing to control the allocator in a way that tcmalloc apparently doesn't let it do.