Comment #22 on issue 28749 by [email protected]: gcc
4.4-specific renderer crash in malloc, memory corruption while loading
plugins (?)
http://code.google.com/p/chromium/issues/detail?id=28749
So the attached file is a super scaled down version of what sort of happens
in
PluginChannelBase::OnMessageReceived that I've been playing with while
sifting
through the code. We have a lazy instance stack and we push and pop refptrs
to a
PluginChannelBase ...
Compile as follows:
g++ -O2 -g -o test -I . test.cc -L out/Release/lib.target/ -lbase -levent
-lmodp_b64
-DNVALGRIND -Wall
And run under valgrind:$ LD_LIBRARY_PATH=./out/Release/lib.target/
valgrind ./test
==18031== Memcheck, a memory error detector.
==18031== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.
==18031== Using LibVEX rev 1884, a library for dynamic binary translation.
==18031== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.
==18031== Using valgrind-3.4.1, a dynamic binary instrumentation framework.
==18031== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.
==18031== For more details, rerun with: -v
==18031==
Constructing channel at 0x4143070
about to push
Scoped refptr at 0xbef7b20c constructor from T*. Referencing 0x4143070
Scoped refptr at 0x4143380 constructor from & 0xbef7b20c. Referencing
0x4143070
Scoped refptr at 0xbef7b20c destructor. Releasing 0x4143070
after push
about to pop 0x4143380
==18031== Conditional jump or move depends on uninitialised value(s)
==18031== at 0x7520C1: vfprintf (in /lib/libc-2.9.90.so)
==18031== by 0x75AA3F: printf (in /lib/libc-2.9.90.so)
==18031== by 0x8048BDC: Test(PluginChannelBase*) (test.cc:43)
==18031== by 0x8048CEB: main (test.cc:141)
Scoped refptr at 0x4143384 destructor. Releasing (nil)
==18031==
==18031== Conditional jump or move depends on uninitialised value(s)
==18031== at 0x8048BE1: Test(PluginChannelBase*) (test.cc:44)
==18031== by 0x8048CEB: main (test.cc:141)
after pop
...
Note that even though one of the scoped refptr's was at 0x4143380, when it
is
destructed it seems to live 4 bytes further on: 0x4143384.
Huh?????? Dazed and confused.
Even more interestingly, when compiled with -O1, there are no valgrind
errors and the
refptr addresses match properly.
Suggestions welcome ...
Attachments:
test.cc 3.5 KB
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
