Closed Bug 1467751 Opened 6 years ago Closed 6 years ago

Memory leak with OOM in ReadGeckoProfilingStack(JSContext*, unsigned int, JS::Value*)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: anba, Assigned: Waldo)

Details

Attachments

(1 file)

Patch
1.55 KB, patch
anba
: review+
Details | Diff | Splinter Review 
|NewString<CanGC>(...)| doesn't take ownership of the passed char* on OOM, which means releasing the UniquePtr in |inlineFrame.label.release()| can lead to a leak [1].


[1] https://searchfox.org/mozilla-central/rev/c621276fbdd9591f52009042d959b9e19b66d49f/js/src/builtin/TestingFunctions.cpp#2463-2464


Test case:
---
enableGeckoProfiling();

function f() {
    var q = 0;
    for (var i = 0; i < 10000; ++i) {
        q += String.fromCharCode(i & 0xff).length;
    }
    return q;
}
for (var i = 0; i < 2; ++i) f();

oomAtAllocation(17);

readGeckoProfilingStack();
---


Configure flags: --enable-debug --disable-optimize --disable-tests --enable-valgrind --disable-jemalloc

Run with: valgrind --tool=memcheck --leak-check=yes ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --baseline-eager --no-threads --no-ion /tmp/t.js


Output:
---
==15981== Memcheck, a memory error detector
==15981== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==15981== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==15981== Command: /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --baseline-eager --no-threads --no-ion /tmp/t.js
==15981== 
==15981== Warning: set address range perms: large range [0x39b802aff000, 0x39b842aff000) (noaccess)
uncaught exception: out of memory
(Unable to print stack trace)
==15981== Warning: set address range perms: large range [0x39b802aff000, 0x39b842aff000) (noaccess)
==15981== 
==15981== HEAP SUMMARY:
==15981==     in use at exit: 72,789 bytes in 4 blocks
==15981==   total heap usage: 9,045 allocs, 9,041 frees, 8,448,319 bytes allocated
==15981== 
==15981== 10 bytes in 1 blocks are definitely lost in loss record 1 of 4
==15981==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==15981==    by 0x492024: SystemMalloc::malloc(unsigned long) (malloc_decls.h:37)
==15981==    by 0x491F58: DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) (malloc_decls.h:37)
==15981==    by 0x491E4C: moz_arena_malloc (malloc_decls.h:115)
==15981==    by 0x41E7D2: js_malloc(unsigned long) (Utility.h:387)
==15981==    by 0x429FC1: char* js_pod_malloc<char>(unsigned long) (Utility.h:584)
==15981==    by 0x489B23: char* js::MallocProvider<JSContext>::maybe_pod_malloc<char>(unsigned long) (MallocProvider.h:54)
==15981==    by 0x4899DE: char* js::MallocProvider<JSContext>::pod_malloc<char>(unsigned long) (MallocProvider.h:87)
==15981==    by 0xDF576A: mozilla::UniquePtr<char [], JS::FreePolicy> js::MallocProvider<JSContext>::make_pod_array<char>(unsigned long) (in /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js)
==15981==    by 0xDEC956: js::DuplicateString(JSContext*, char const*) (Text.cpp:54)
==15981==    by 0xBDEEDF: ReadGeckoProfilingStack(JSContext*, unsigned int, JS::Value*) (TestingFunctions.cpp:2432)
==15981==    by 0x6720B3: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (JSContext-inl.h:274)
==15981== 
==15981== LEAK SUMMARY:
==15981==    definitely lost: 10 bytes in 1 blocks
==15981==    indirectly lost: 0 bytes in 0 blocks
==15981==      possibly lost: 0 bytes in 0 blocks
==15981==    still reachable: 72,779 bytes in 3 blocks
==15981==         suppressed: 0 bytes in 0 blocks
==15981== Reachable blocks (those to which a pointer was found) are not shown.
==15981== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==15981== 
==15981== For counts of detected and suppressed errors, rerun with: -v
==15981== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
---
Attached patch PatchSplinter Review 

        Attachment #8985424 -
        Flags: review?(andrebargull)

    
  
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED

    
  

        Attachment #8985424 -
        Flags: review?(andrebargull) → review+

    
    

    
  
Pushed by jwalden@mit.edu:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a66a884fb46f
Don't leak in ReadGeckoProfilingStack if OOM occurs while creating a new string from a manually released UniquePtr.  r=anba

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/a66a884fb46f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox62:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: