Closed
Bug 1467751
Opened 6 years ago
Closed 6 years ago
Memory leak with OOM in ReadGeckoProfilingStack(JSContext*, unsigned int, JS::Value*)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox62 | --- | fixed |
People
(Reporter: anba, Assigned: Waldo)
Details
Attachments
(1 file)
1.55 KB,
patch
|
anba
:
review+
|
Details | Diff | Splinter Review |
|NewString<CanGC>(...)| doesn't take ownership of the passed char* on OOM, which means releasing the UniquePtr in |inlineFrame.label.release()| can lead to a leak [1]. [1] https://searchfox.org/mozilla-central/rev/c621276fbdd9591f52009042d959b9e19b66d49f/js/src/builtin/TestingFunctions.cpp#2463-2464 Test case: --- enableGeckoProfiling(); function f() { var q = 0; for (var i = 0; i < 10000; ++i) { q += String.fromCharCode(i & 0xff).length; } return q; } for (var i = 0; i < 2; ++i) f(); oomAtAllocation(17); readGeckoProfilingStack(); --- Configure flags: --enable-debug --disable-optimize --disable-tests --enable-valgrind --disable-jemalloc Run with: valgrind --tool=memcheck --leak-check=yes ~/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --baseline-eager --no-threads --no-ion /tmp/t.js Output: --- ==15981== Memcheck, a memory error detector ==15981== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==15981== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==15981== Command: /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js --baseline-eager --no-threads --no-ion /tmp/t.js ==15981== ==15981== Warning: set address range perms: large range [0x39b802aff000, 0x39b842aff000) (noaccess) uncaught exception: out of memory (Unable to print stack trace) ==15981== Warning: set address range perms: large range [0x39b802aff000, 0x39b842aff000) (noaccess) ==15981== ==15981== HEAP SUMMARY: ==15981== in use at exit: 72,789 bytes in 4 blocks ==15981== total heap usage: 9,045 allocs, 9,041 frees, 8,448,319 bytes allocated ==15981== ==15981== 10 bytes in 1 blocks are definitely lost in loss record 1 of 4 ==15981== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==15981== by 0x492024: SystemMalloc::malloc(unsigned long) (malloc_decls.h:37) ==15981== by 0x491F58: DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) (malloc_decls.h:37) ==15981== by 0x491E4C: moz_arena_malloc (malloc_decls.h:115) ==15981== by 0x41E7D2: js_malloc(unsigned long) (Utility.h:387) ==15981== by 0x429FC1: char* js_pod_malloc<char>(unsigned long) (Utility.h:584) ==15981== by 0x489B23: char* js::MallocProvider<JSContext>::maybe_pod_malloc<char>(unsigned long) (MallocProvider.h:54) ==15981== by 0x4899DE: char* js::MallocProvider<JSContext>::pod_malloc<char>(unsigned long) (MallocProvider.h:87) ==15981== by 0xDF576A: mozilla::UniquePtr<char [], JS::FreePolicy> js::MallocProvider<JSContext>::make_pod_array<char>(unsigned long) (in /home/andre/hg/mozilla-inbound/js/src/build-valgrind-debug-obj/dist/bin/js) ==15981== by 0xDEC956: js::DuplicateString(JSContext*, char const*) (Text.cpp:54) ==15981== by 0xBDEEDF: ReadGeckoProfilingStack(JSContext*, unsigned int, JS::Value*) (TestingFunctions.cpp:2432) ==15981== by 0x6720B3: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (JSContext-inl.h:274) ==15981== ==15981== LEAK SUMMARY: ==15981== definitely lost: 10 bytes in 1 blocks ==15981== indirectly lost: 0 bytes in 0 blocks ==15981== possibly lost: 0 bytes in 0 blocks ==15981== still reachable: 72,779 bytes in 3 blocks ==15981== suppressed: 0 bytes in 0 blocks ==15981== Reachable blocks (those to which a pointer was found) are not shown. ==15981== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==15981== ==15981== For counts of detected and suppressed errors, rerun with: -v ==15981== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ---
Assignee | ||
Comment 1•6 years ago
|
||
Attachment #8985424 -
Flags: review?(andrebargull)
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Reporter | ||
Updated•6 years ago
|
Attachment #8985424 -
Flags: review?(andrebargull) → review+
Pushed by jwalden@mit.edu: https://hg.mozilla.org/integration/mozilla-inbound/rev/a66a884fb46f Don't leak in ReadGeckoProfilingStack if OOM occurs while creating a new string from a manually released UniquePtr. r=anba
Comment 3•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/a66a884fb46f
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•