js> for (i=0;i<8;++i); ==35694== Mismatched free() / delete / delete [] ==35694== at 0x289B1A: operator delete(void*) (vg_replace_malloc.c:346) ==35694== by 0x179151: nanojit::SanityFilter::~SanityFilter() (LIR.h:1486) ==35694== by 0x139A0C: TraceRecorder::~TraceRecorder() (jstracer.cpp:2125) ==35694== by 0x13FA52: DeleteRecorder(JSContext*) (jstracer.cpp:4853) ==35694== by 0x15C913: TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) (jstracer.cpp:6618) ==35694== by 0x7084B: js_Interpret (jsops.cpp:79) ==35694== by 0x997EE: js_Execute (jsinterp.cpp:1613) ==35694== by 0x1EF99: JS_ExecuteScript (jsapi.cpp:4960) ==35694== by 0x89BF: Process(JSContext*, JSObject*, char*, int) (shell/js.cpp:529) ==35694== by 0x9E51: ProcessArgs(JSContext*, JSObject*, char**, int) (shell/js.cpp:844) ==35694== by 0xB4AA: main (shell/js.cpp:4829) ==35694== Address 0x5e6dfa0 is 0 bytes inside a block of size 8 alloc'd ==35694== at 0x28A0D8: calloc (vg_replace_malloc.c:418) ==35694== by 0x15F2F4: nanojit::LirWriter::operator new(unsigned long) (LIR.h:1019) ==35694== by 0x155435: TraceRecorder::TraceRecorder(JSContext*, VMSideExit*, nanojit::Fragment*, TreeInfo*, unsigned int, unsigned int, JSTraceType_*, VMSideExit*, unsigned char*, unsigned int) (jstracer.cpp:2022) ==35694== by 0x155CC4: StartRecorder(JSContext*, VMSideExit*, nanojit::Fragment*, TreeInfo*, unsigned int, unsigned int, JSTraceType_*, VMSideExit*, unsigned char*, unsigned int) (jstracer.cpp:4948) ==35694== by 0x158FC9: RecordTree(JSContext*, JSTraceMonitor*, VMFragment*, unsigned char*, unsigned int, JSObject*, unsigned int, Queue<unsigned short>*, unsigned int) (jstracer.cpp:5259) ==35694== by 0x15DE37: js_MonitorLoopEdge(JSContext*, unsigned int&) (jstracer.cpp:6420) ==35694== by 0x7A68C: js_Interpret (jsops.cpp:905) ==35694== by 0x997EE: js_Execute (jsinterp.cpp:1613) ==35694== by 0x1EF99: JS_ExecuteScript (jsapi.cpp:4960) ==35694== by 0x89BF: Process(JSContext*, JSObject*, char*, int) (shell/js.cpp:529) ==35694== by 0x9E51: ProcessArgs(JSContext*, JSObject*, char**, int) (shell/js.cpp:844) ==35694== by 0xB4AA: main (shell/js.cpp:4829) This appears to be due to the following piece of TraceRecorder, whose purpose I cannot figure out: inline void* operator new(size_t size) { return calloc(1, size); } Which may be residue from MMgc removal: changeset: 32778:c256a60dd22c tag: tip user: Graydon Hoare <graydon@mozilla.com> date: Thu Sep 10 16:29:36 2009 -0700 summary: Bug 516620 - Kill off residue of MMgc, r=gal.

That's interesting. I didn't know you had to match memory-from-calloc this way. Does it get fixed if you add an operator-delete that calls free()? The hunk in question is there because if I remove it there's a performance regression. Minute, but noticable. Amazingly, it seems that calloc() is faster than malloc() or carving a piece off a fixed-sized allocator. The offered explanation from jseward and edwsmith is that this has to do with special cache-clobber instructions. I have no idea, haven't disassembled my OSX calloc to see yet.

Note all this can go away if you're willing to take the teensy perf hit of using explicit structure init-to-zero instead of calloc. Alternatively if we make the allocators fast enough, split their lifetimes up enough, and move this junk to allocators, we might win there. I don't really care which way we go, but this patch makes valgrind happy for now.

Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.