Maybe one possibility would be to modify efence to mark freed memory as inaccessible but never actually return it to the pool for re-allocation...
This may not be necessary since inkscape in valgrind-2.4.0 already aborts on startup with
==19853== Addrcheck, a fine-grained address checker for x86-linux. ==19853== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al. ==19853== Using valgrind-2.4.0, a program supervision framework for x86-linux. ==19853== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al. ==19853== ==19853== My PID = 19853, parent PID = 7747. Prog and args are: ==19853== inkscape ==19853== For more details, rerun with: -v ==19853== ==19853== Invalid read of size 4 ==19853== at 0x34E12713: GC_mark_from (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E12398: GC_mark_some (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E0B6F4: GC_stopped_mark (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E0B321: GC_try_to_collect_inner (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E15099: GC_init_inner (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E10B34: GC_generic_malloc_inner (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E10C90: GC_generic_malloc (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E10F84: GC_malloc (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x811D2AC: operator new(unsigned, Inkscape::GC::ScanPolicy, Inkscape::GC::CollectionPolicy, void (*)(void*, void*), void*) (gc-core.h:72) ==19853== by 0x83A27A9: sp_repr_new(char const*) (gc-managed.h:55) ==19853== by 0x839F461: sp_repr_svg_read_node(_xmlNode*, char const*, _GHashTable*) (repr-io.cpp:454) ==19853== by 0x839F285: sp_repr_do_read(_xmlDoc*, char const*) (repr-io.cpp:364) ==19853== Address 0x9C600014 is not stack'd, malloc'd or (recently) free'd ==19853== ==19853== Process terminating with default action of signal 11 (SIGSEGV) ==19853== Bad permissions for mapped region at address 0x9C600014 [...] ==19853== ==19853== Invalid write of size 4 ==19853== at 0x34F31F9B: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34F32358: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34F31ED5: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34F3F163: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34F3FCE0: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x35020885: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x350209AE: __libc_freeres (in /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34144A04: _vgw(float, long double,...)(...)(long double,...)(short) (vg_intercept.c:55) ==19853== by 0x9C5FE26F: ??? ==19853== by 0x34E12398: GC_mark_some (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E0B6F4: GC_stopped_mark (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E0B321: GC_try_to_collect_inner (in /usr/lib/libgc.so.1.0.2) ==19853== Address 0x3527DF98 is 0 bytes inside a block of size 120 free'd ==19853== at 0x3414AB10: free (vg_replace_malloc.c:152) ==19853== by 0x34F32AC5: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34FEC4DE: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34FEC4FA: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34FEC385: tdestroy (in /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x35020502: (within /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x350209AE: __libc_freeres (in /lib/tls/i686/cmov/libc-2.3.2.so) ==19853== by 0x34144A04: _vgw(float, long double,...)(...)(long double,...)(short) (vg_intercept.c:55) ==19853== by 0x9C5FE26F: ??? ==19853== by 0x34E12398: GC_mark_some (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E0B6F4: GC_stopped_mark (in /usr/lib/libgc.so.1.0.2) ==19853== by 0x34E0B321: GC_try_to_collect_inner (in /usr/lib/libgc.so.1.0.2) ==19853== ==19853== ERROR SUMMARY: 26 errors from 14 contexts (suppressed: 0 from 0) ==19853== malloc/free: in use at exit: 308402 bytes in 6039 blocks. ==19853== malloc/free: 10043 allocs, 4004 frees, 720603 bytes allocated. ==19853== For counts of detected errors, rerun with: -v ==19853== searching for pointers to 6039 not-freed blocks. ==19853== checked 2484332 bytes. ==19853== ==19853== LEAK SUMMARY: ==19853== definitely lost: 156 bytes in 11 blocks. ==19853== possibly lost: 7816 bytes in 25 blocks. ==19853== still reachable: 300430 bytes in 6003 blocks. ==19853== suppressed: 0 bytes in 0 blocks. ==19853== Use --leak-check=full to see details of leaked memory.